After migrating a three-tier application to a VPC, the security team finds that least privilege is not being applied to Amazon EC2 security group ingress and egress rules between tiers. What should a solutions architect do to fix this?
Choose an answer
Tap an option to check your answer.
Correct answer: Create security group rules that use the security group ID as the source or destination..
Why this is the answer
Using security group IDs as sources or destinations in rules is the most effective way to implement least privilege between application tiers in a VPC. This allows you to restrict traffic precisely to and from specific groups of instances (e.g., web servers to application servers) without exposing them to broader network ranges. Using instance IDs is not practical because instance IDs change if instances are terminated and relaunched, breaking the rules. Using the VPC CIDR block is too permissive, allowing traffic from any instance within the entire VPC, violating least privilege. Similarly, using subnet CIDR blocks is also too broad, as it would allow traffic from all instances within that subnet, not just the specific tier intended.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed