Exam AWS Certified Security - Specialty topic 1 question 402 discussion

A : The access rules enforced by your local firewall and the IP addresses authorized to access your DB instance might not match. The problem is most likely the inbound rules in your security group. By default, DB instances don't allow access. Access is granted through a security group https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html

The inbound rule for the security group needs to be configured for the database servers. Since the traffic flow is going from the application servers to the database tier we need to ensure that the outbound rule is configured correctly on the application tier. A

Source is Application and Destination would be DB. So DB inbound SG needs to be in place. Security groups are stateful allowing return traffic for the matching session and return traffic is on the random port so no SG for the return (Inbound on the application) is needed.

Think it is A assuming application is the origin and database is the destination, SG has default allow outbound rule 0.0.0.0/0, so this option makes more sense to me

B. Check the outbound rules for the database security group. Check the inbound rules for the application security group. To communicate with the database instances, the application instances need to be able to send traffic to the database instances. Therefore, the security engineer should check the outbound rules for the database security group to make sure that the traffic from the application instances is allowed.

Think it is A also but this seems like a trick question of sorts can someone confirm ?