Q90 — AWS SAA-C03 Ch.4
Question 90 of 105 | ← Chapter 4
Q285. A solutions architect is creating a new VPC design. There are two public subnet for the load balancer, two private subnets for web servers, and two private subnets for MySQL. The web serves use only HTTPS. The solutions architect has already created a security group for the load Balancer allowing port 443 from 0.0 0.0/0. Company policy requires that each resource has the least access required to still be able to perform its tasks. Which additional configuration strategy should the solution architect use to meet these requirements?
- A. Create a security group for the web servers and allow port 443 from 0.0.0.0/0.Create a security group tor the MySQL serve's aid allow port 3306 from the web servers security group.
- B. Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0.Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group
- C. Create a security group for the web servers and allow port 443 from the load balancer.Create a security group tor the MySQL servers and allow port 3306 from the web sewers security group ✓
- D. Create a network ACL for the web servers and allow port 443 from the web balancer.Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.
Correct Answer: C. Create a security group for the web servers and allow port 443 from the load balancer.Create a security group tor the MySQL servers and allow port 3306 from the web sewers security group
Explanation
Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.