ExpertMinds LogoExpertMinds
Easy1 markMultiple Choice
Domain 1.2: Security ControlsSecurityNetworkingSecurity Groups

AWS SAP-C02 · Question 69 · Domain 1.2: Security Controls

A company has a multi-tier application running in a VPC. The web tier is in public subnets, and the application and database tiers are in private subnets. The security team wants to implement microsegmentation to ensure that the web tier can only communicate with the application tier on port 8080, and the application tier can only communicate with the database tier on port 3306. All other internal traffic must be blocked. What is the MOST scalable way to implement this?

Answer options:

A.

Use Security Groups. Configure the application tier Security Group to only accept ingress on port 8080 from the web tier Security Group ID. Configure the database tier Security Group to only accept ingress on port 3306 from the application tier Security Group ID.

B.

Use Network Access Control Lists (NACLs). Create rules to allow traffic on specific ports between the CIDR blocks of the public and private subnets.

C.

Deploy AWS Network Firewall in a central inspection VPC. Route all traffic between the tiers through the Transit Gateway to the Network Firewall.

D.

Use AWS WAF and attach it to the Elastic Network Interfaces (ENIs) of the application and database instances.

How to approach this question

Identify the native AWS firewall that supports referencing logical groups rather than IP addresses.

Full Answer

A.Use Security Groups. Configure the application tier Security Group to only accept ingress on port 8080 from the web tier Security Group ID. Configure the database tier Security Group to only accept ingress on port 3306 from the application tier Security Group ID.✓ Correct
Security Groups act as a stateful virtual firewall for your instances. The most scalable way to implement microsegmentation in AWS is to chain Security Groups by referencing their IDs. For example, the Database Security Group allows inbound MySQL traffic (3306) only from the Application Security Group ID. If an Auto Scaling group adds 10 new application instances, they automatically get access to the database without any firewall rule changes.

Common mistakes

Choosing NACLs, which are stateless and require managing complex ephemeral port rules.
68All questions70

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →