AWS Certified Security - Specialty Exam: Security Group Configuration for Web Application in VPC | YourSiteName

Security Group Configuration for Web Application in VPC

Prev Question Next Question

Question

A web application runs in a VPC on EC2 instances behind an ELB Application Load Balancer.

The application stores data in an RDS MySQL DB instance.

A Linux bastion host is used to apply schema updates to the database - administrators connect to the host via SSH from a corporate workstation.

The following security groups are applied to the infrastructure- · sgLB - associated with the ELB · sgWeb - associated with the EC2 instances. · sgDB - associated with the database · sgBastion - associated with the bastion host Which security group configuration will allow the application to be secure and functional?

Answers

A. sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb: Allow port 80 and 443 traffic from 0.0.0.0/0 sgDB: Allow port 3306 traffic from sgWeb and sgBastion sgBastion: Allow port 22 traffic from the corporate IP address range

B. sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb: Allow port 80 and 443 traffic from sgLB sgDB: Allow port 3306 traffic from sgWeb and sgLB sgBastion: Allow port 22 traffic from the VPC IP address range

C. sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb: Allow port 80 and 443 traffic from sgLB sgDB: Allow port 3306 traffic from sgWeb and sgBastion sgBastion: Allow port 22 traffic from the VPC IP address range

D. sgLB: Allow port 80 and 443 traffic from 0.0.0.0/0 sgWeb: Allow port 80 and 443 traffic from sgLB sgDB: Allow port 3306 traffic from sgWeb and sgBastion sgBastion: Allow port 22 traffic from the corporate IP address range.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: D.

The following would be the application data flow to make it secure and functional.

Load Balancer - Application should be accessible here over the internet on ports 80 and 443.

Web Servers - Access only by the Elastic Load Balancer.

Database Servers - Web Servers should have a route to the Database Server.

Bastion Host - Should be used to connect with the Database.

Option A is incorrect because the sgWeb should only allow traffic from the load balancer and not the public internet (0.0.0.0/0).

Option B is incorrect because the Database should not be accessed directly from the Load Balancer, and the bastion host should only allow traffic from the corporate IP address range and not the VPC IP addresses.

Option C is incorrect because the bastion host should only allow traffic from the corporate IP address range.

Option D is CORRECT because it provides correct application data flow as per the requirements.

For more information on AWS Security Groups, please refer to the below URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

The correct answer is option D.

Explanation:

The security group configuration for each component should be as follows:

sgLB (ELB security group): It should allow incoming traffic on ports 80 and 443 from the internet (0.0.0.0/0), as it is the entry point for the application.

sgWeb (EC2 security group): It should allow incoming traffic on ports 80 and 443 from the ELB security group, as this is the only inbound traffic allowed to the web server instances.

sgDB (RDS security group): It should allow incoming traffic on port 3306 from the sgWeb and sgBastion security groups. This allows the web server instances and the bastion host to connect to the RDS MySQL instance.

sgBastion (Bastion Host security group): It should allow incoming traffic on port 22 from the corporate IP address range. This is to ensure that only authorized administrators can access the bastion host via SSH from a corporate workstation.

Therefore, option D is the correct answer as it satisfies all the security requirements for the infrastructure to be secure and functional.

Prev Question Next Question