Q60 — AWS SCS-C02 Ch.1

Question 60 of 100 | ← Chapter 1

A company is implementing a new application in a new AWS account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same AWS Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network. How can the security engineer implement this solution?

Correct Answer: C. Create a new security group in the application VPC with no  inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access and attach the database security group to the database instances.  

Explanation

AWS VPC对等连接中流量控制的核心在于安全组配置。题目场景要求仅允许特定EC2实例访问数据库,且实例会动态变化。AWS安全组支持引用源安全组ID作为规则条件,而非依赖静态IP地址,这更适合动态环境。选项C在数据库VPC的安全组中设置了允许来自应用VPC特定安全组的流量(TCP 1521),并将该安全组仅附加到需要访问的实例,确保权限最小化。其他选项要么依赖IP地址范围(无法精准控制实例),要么错误结合网络ACL(子网级规则,无法细粒度控制)。《AWS安全最佳实践》指出,引用安全组ID优于IP地址,尤其在实例频繁变化的场景中。