Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 363 discussion

B. Create security group rules using the security group ID as the source or destination. SG nesting

Answer is B. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html

B The ID of a security group (referred to here as the specified security group). For example, the current security group, a security group from the same VPC, or a security group for a peered VPC. This allows traffic based on the private IP addresses of the resources associated with the specified security group. This does not add rules from the specified security group to the current security group. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html

B In fact, A is more secure, as SG may be added to other EC2s, not only instances in application tiers. But if these application tiers work with ASG, A will be a trouble. So Ans should be B

Are these dumps even worth it?

I am guessing that we reference the security ID so that the security group rules are aggregated and therefore follow the rules of least privilege?

(Inbound rules only) The source of the traffic and the destination port or port range. The source can be another security group, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address, or a prefix list ID. so its B & D

AWS Security Group can't be nested; they can contain only users, not other groups. AWS Security Group has no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it. Anser is A

"principle of least privilege" Answer is B; security group of instances to another from tier to tier

B...always preferer SG ID over Instance ID

Yes its B.