You are designing a VPC with two public subnets for a load balancer, two private subnets for web servers, and two private subnets for MySQL. The web servers serve only HTTPS. A security group for the load balancer already allows port 443 from 0.0.0.0/0. Company policy requires least privilege for each resource. Which additional configuration should you apply to meet this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group..
Why this is the answer
The correct option uses security groups, which are stateful and operate at the instance level, making them ideal for least privilege. Allowing port 443 from the load balancer's security group to the web servers ensures only traffic originating from the load balancer can reach the web servers. Similarly, allowing port 3306 from the web servers' security group to the MySQL servers ensures only the web servers can initiate connections to the database. The incorrect options involving 0.0.0.0/0 for web servers violate the least privilege principle by allowing traffic from anywhere on the internet, which is not necessary since the web servers are behind a load balancer. Network ACLs are stateless and operate at the subnet level, making them less granular and more complex to manage for instance-level traffic filtering compared to security groups.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed