ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 87 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 87
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB Cluster. The EC2 instances are all associated with the same security group. The DB cluster is associated with its own security group.

The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB Cluster.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Add an inbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the source over the default Aurora port.
  • B. Add an outbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the destination over the default Aurora port.
  • C. Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the source over the default Aurora port.
  • D. Add an outbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the destination over the default Aurora port.
  • E. Add an outbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the destination over the ephemeral ports.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by masetromain at Jan. 15, 2023, 9:27 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 2 years, 3 months ago
Selected Answer: BC
The correct combination of steps to meet these requirements is B and C. B. Add an outbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the destination over the default Aurora port. This allows the instances to make outbound connections to the DB cluster on the default Aurora port. C. Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the source over the default Aurora port. This allows connections to the DB cluster from the EC2 instances on the default Aurora port.
upvoted 32 times
masetromain
2 years, 3 months ago
A. Adding an inbound rule to the EC2 instances' security group would allow incoming connections to the instances on the default Aurora port, but it would not allow the instances to connect to the DB cluster. D. Adding an outbound rule to the DB cluster's security group would allow the DB cluster to make outbound connections to the EC2 instances on the default Aurora port, but it would not allow connections to the DB cluster from the instances. E. Adding an outbound rule to the DB cluster's security group specifying the EC2 instances' security group as the destination over the ephemeral ports would allow the DB cluster to make outbound connections to the instances on ephemeral ports, but it would not allow connections to the DB cluster from the instances on the default Aurora port.
upvoted 3 times
vjp_training
1 year, 7 months ago
Security group is stateful. So you just need to set up inbound
upvoted 3 times
...
...
HussamShokr
1 year, 10 months ago
why we should add an outbound rule to the EC2 instances' security group??? it is already allowed by default in the EC2 security group becauce all outbound ports are allowed by default.
upvoted 3 times
jainparag1
1 year, 5 months ago
wow..then in that case your EC2 instance can talk to anything. No SG rule is required. You need to establish a connectivity route first.
upvoted 1 times
...
ninomfr64
1 year, 3 months ago
it is the other way around, all connection are denied and you can only allow connection. You need outbound from EC2 to Aurora to allow the app initiate a connection to the database instance
upvoted 2 times
...
...
...
c73bf38
Highly Voted 2 years, 2 months ago
Selected Answer: AC
To provide the application with least privilege access to the Aurora DB cluster, the solutions architect should add inbound rules to both the security groups. For the EC2 instances' security group, an inbound rule should be added that allows traffic from the DB cluster's security group over the default Aurora port. This will allow the EC2 instances to communicate with the Aurora DB cluster. For the Aurora DB cluster's security group, an inbound rule should be added that allows traffic from the EC2 instances' security group over the default Aurora port. This will allow the Aurora DB cluster to communicate with the EC2 instances. By default all outbound rules are open, it's only the ingress that needs to allow traffic.
upvoted 12 times
c73bf38
2 years, 2 months ago
B&C after doing a recreate in the AWS Console, stand corrected.
upvoted 7 times
c73bf38
2 years, 2 months ago
To provide the application with least privilege access to the Amazon Aurora DB Cluster, the solutions architect should take the following steps: Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the source over the default Aurora port (port 3306). This will allow the EC2 instances to connect to the Aurora DB Cluster. Add an outbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the destination over the default Aurora port (port 3306). This will allow the EC2 instances to send traffic to the Aurora DB Cluster.
upvoted 3 times
...
...
...
penguins2
Most Recent 5 months, 3 weeks ago
BC. The steps are clearly stated here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/tutorial-ec2-rds-option3.html#option3-task3-connect-rds-database-to-ec2-instance
upvoted 1 times
...
nimbus_00
6 months, 3 weeks ago
Selected Answer: BC
NB. The DB cluster doesn't need to initiate connections to the EC2 instances.
upvoted 1 times
...
gofavad926
1 year, 1 month ago
Selected Answer: BC
BC, ec2 -> bd; ec2 outbound rule to allow access to bd; db inbound rule to allow access from ec2
upvoted 2 times
...
igor12ghsj577
1 year, 3 months ago
Selected Answer: BC
Tricky question. They say with least privileges, so I think they don't want to use default (allow-all) rule, but limit as much as possible and allow only specific traffic to DB) "By default, a security group includes an outbound rule that allows all outbound traffic. We recommend that you remove this default rule and add outbound rules that allow specific outbound traffic only." https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html
upvoted 3 times
...
cox1960
1 year, 3 months ago
CE - A and B are nonsense, since they talk about aurora port on ec2 SGs. In SG you always put rules on the local ports. - C obvious - E over D, always ephemeral on outbound, but at the condition we replace the existing all open rule
upvoted 1 times
...
jpa8300
1 year, 4 months ago
Selected Answer: BC
I believe that C is enough, we don't need to define the outbound from EC2 to DB, but since we have to choose two, the only other option that is correct is B. And someone say below that have tested this configuration, so I hope he tested defining only what is mentioned in C, to see if it is enough or not. It would be nice.
upvoted 3 times
...
shaaam80
1 year, 5 months ago
Selected Answer: BC
Answer - B& C Outbound rule to the EC2 SG with DB SG as destination Inbound rule to the DB SG with EC2 SG as source
upvoted 1 times
...
eurriola10
1 year, 5 months ago
Selected Answer: AC
Security Groups are stateful, that means you don't need to specify an outbound rule if you have an inbound rule that permit access to the resource. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html#security-group-basics In other hand, the outbound traffic rules typically don't apply to DB clusters. Outbound traffic rules apply only if the DB cluster acts as a client. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.VPCSec. Because of that B, D and E are wrong answers
upvoted 1 times
...
uC6rW1aB
1 year, 8 months ago
Selected Answer: AC
By default, AWS Security Groups allow all outbound traffic. Therefore, in most cases, there's no need to configure outbound rules unless you have specific security requirements. Add an inbound rule to the EC2 instance's security group, setting the DB cluster's security group as the source over Aurora's default port. This enables interaction between the DB Cluster and the EC2 instances. Corresponds to Option A. Add an inbound rule to the DB Cluster's security group, setting the EC2 instance's security group as the source over Aurora's default port. This allows the EC2 instances to interact with the DB Cluster. Corresponds to Option C.
upvoted 2 times
uC6rW1aB
1 year, 8 months ago
By the way, the outbound rules are unnecessary in this case because the database cluster does not need to access any data from the application. The database cluster only needs to receive traffic from the application so that the application can read and write to the database.
upvoted 1 times
...
eurriola10
1 year, 5 months ago
my two cents. Agree AC are the correct answer. Security Groups are stateful, that means you don't need to specify an outbound rule if you have an inbound rule that permit access to the resource. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html#security-group-basics In other hand, the outbound traffic rules typically don't apply to DB clusters. Outbound traffic rules apply only if the DB cluster acts as a client. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.VPCSec
upvoted 1 times
...
...
vjp_training
1 year, 8 months ago
Selected Answer: AC
By default, all outbound rules are allow
upvoted 1 times
vn_thanhtung
1 year, 8 months ago
Don't provide wrong answer. Answer is B,C
upvoted 1 times
jainparag1
1 year, 5 months ago
you are providing the wrong answer. The correct answer is AC. Inbound rules are supposed to be added.
upvoted 1 times
...
...
vn_thanhtung
1 year, 8 months ago
The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB Cluster.
upvoted 1 times
...
...
NikkyDicky
1 year, 10 months ago
Selected Answer: BC
BC of course
upvoted 2 times
jainparag1
1 year, 5 months ago
AC is correct.
upvoted 1 times
...
...
bcx
1 year, 10 months ago
Selected Answer: BC
It is outbound from the clients to the db server listening port. And inbound to the db server listening ports from the clients.
upvoted 2 times
...
Jonalb
1 year, 11 months ago
Selected Answer: BC
"My choice relays on the fact that the security groups are stateful, so we only need to allow the outbound traffic for the ec2 instances to pass and the return will also be allowed. Same for the RDS. This combination is also based on the standard traffic flow initiated from instance to DB"
upvoted 1 times
...
Maria2023
2 years ago
Selected Answer: BC
My choice relays on the fact that the security groups are stateful, so we only need to allow the outbound traffic for the ec2 instances to pass and the return will also be allowed. Same for the RDS. This combination is also based on the standard traffic flow initiated from instance to DB.
upvoted 3 times
...
mfsec
2 years, 1 month ago
Selected Answer: BC
BC gets my vote
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago