Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 55 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 55
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A solutions architect is developing a VPC architecture that includes multiple subnets. The architecture will host applications that use Amazon EC2 instances and Amazon RDS DB instances. The architecture consists of six subnets in two Availability Zones. Each Availability Zone includes a public subnet, a private subnet, and a dedicated subnet for databases. Only EC2 instances that run in the private subnets can have access to the RDS databases.
Which solution will meet these requirements?

  • A. Create a new route table that excludes the route to the public subnets' CIDR blocks. Associate the route table with the database subnets.
  • B. Create a security group that denies inbound traffic from the security group that is assigned to instances in the public subnets. Attach the security group to the DB instances.
  • C. Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances.
  • D. Create a new peering connection between the public subnets and the private subnets. Create a different peering connection between the private subnets and the database subnets.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Sinaneos at Oct. 13, 2022, 6 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Sinaneos
Highly Voted 2 years, 1 month ago
Selected Answer: C
A: doesn't fully configure the traffic flow B: security groups don't have deny rules D: peering is mostly between VPCs, doesn't really help here answer is C, most mainstream way
upvoted 51 times
...
Gary_Phillips_2007
Highly Voted 1 year, 8 months ago
Just took the exam today and EVERY ONE of the questions came from this dump. Memorize it all. Good luck.
upvoted 32 times
orhan64
1 year, 3 months ago
Hey bro, did you buy premium access?
upvoted 5 times
...
...
PaulGa
Most Recent 2 months, 1 week ago
Selected Answer: C
Ans C - only one that makes sense: "...a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets" - operative word: "allows"
upvoted 2 times
...
awsgeek75
10 months, 1 week ago
Selected Answer: C
A: route table that connect... no idea what this option is trying to do but won't work for RDS B: SG are deny by default D: Peering connection between subnets? No idea what this is but happy to learn if such a thing exists. C: SG to allow input to private subnet means everything else will be blocked. Attaching this SG to DB instance means it will block everything except the private subnet instances which is where the required EC2 instances are.
upvoted 5 times
...
AWSStudyBuddy
1 year, 1 month ago
Selected Answer: C
RDS databases can only be accessed by EC2 instances located in private subnets: From the security group given to instances in the private subnets, the DB instances' security group will permit incoming traffic. Because of this, the RDS databases will only be accessible by EC2 instances located on the private subnets. Because of its safe architecture, Every other source of incoming traffic will be blocked by the security group that is linked to the database instances. The RDS databases will be better shielded from unwanted access thanks to this.
upvoted 2 times
...
Guru4Cloud
1 year, 3 months ago
Selected Answer: C
The key reasons are: Using security groups to control access between resources is a standard practice in VPCs. The security group attached to the RDS DB instances can allow inbound traffic from the security group for the EC2 instances in the private subnets. This allows only those EC2 instances in the private subnets to connect to the databases, meeting the requirements. Route tables, peering connections, and denying public subnet access would not achieve the needed selectivity of allowing only the private subnet EC2 instances. Security groups provide stateful filtering at the instance level for precise access control.
upvoted 3 times
...
TariqKipkemei
1 year, 3 months ago
Selected Answer: C
Security groups only have allow rules
upvoted 3 times
...
praveenvky83
1 year, 3 months ago
Selected Answer: C
optoin C
upvoted 1 times
...
miki111
1 year, 4 months ago
Option C is the correct answer
upvoted 1 times
...
cookieMr
1 year, 5 months ago
Selected Answer: C
Creating security group that allows inbound traffic from security group assigned to instances in private subnets ensures that only EC2 running in private subnets can access the RDS databases. By associating security group with DB, you restrict access to only instances that belong to designated security group. A: This approach may help control routing within VPC, it does not address the specific access requirement between EC2 instances and RDS databases. B: Using a deny rule in a security group can lead to complexities and potential misconfigurations. It is generally recommended to use allow rules to explicitly define access permissions. D: Peering connections enable communication between different VPCs or VPCs in different regions, and they are not necessary for restricting access between subnets within the same VPC.
upvoted 4 times
...
Bmarodi
1 year, 5 months ago
Selected Answer: C
Option C meets the requirements.
upvoted 1 times
...
Abrar2022
1 year, 6 months ago
By default, a security group is set up with rules that deny all inbound traffic and permit all outbound traffic.
upvoted 2 times
...
water314
1 year, 6 months ago
Selected Answer: C
CCCCCCCCCCC
upvoted 1 times
...
SilentMilli
1 year, 10 months ago
Selected Answer: C
Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances. This will allow the EC2 instances in the private subnets to have access to the RDS databases while denying access to the EC2 instances in the public subnets.
upvoted 2 times
...
Buruguduystunstugudunstuy
1 year, 11 months ago
Selected Answer: C
The solution that meets the requirements described in the question is option C: Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances. In this solution, the security group applied to the DB instances allows inbound traffic from the security group assigned to instances in the private subnets. This ensures that only EC2 instances running in the private subnets can have access to the RDS databases.
upvoted 3 times
Buruguduystunstugudunstuy
1 year, 11 months ago
Option A, creating a new route table that excludes the route to the public subnets' CIDR blocks and associating it with the database subnets, would not meet the requirements because it would block all traffic to the database subnets, not just traffic from the public subnets. Option B, creating a security group that denies inbound traffic from the security group assigned to instances in the public subnets and attaching it to the DB instances, would not meet the requirements because it would allow all traffic from the private subnets to reach the DB instances, not just traffic from the security group assigned to instances in the private subnets. Option D, creating a new peering connection between the public subnets and the private subnets and a different peering connection between the private subnets and the database subnets, would not meet the requirements because it would allow all traffic from the private subnets to reach the DB instances, not just traffic from the security group assigned to instances in the private subnets.
upvoted 1 times
...
...
Nandan747
1 year, 11 months ago
Selected Answer: C
The real trick is between B and C. A and D are ruled out for obvious reasons. B is wrong as you cannot have deny type rules in Security groups. So- C is the right answer.
upvoted 4 times
...
ashish_t
1 year, 12 months ago
Selected Answer: C
The key is "Only EC2 instances that run in the private subnets can have access to the RDS databases" The answer is C.
upvoted 2 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel