Best Practices for Securing EC2 Web Servers and Database in AWS Architecture

Answer: B, D.

Option A is incorrect because assigning public IPs does not enhance the security of the servers.

Option B is CORRECT as moving Database on EC2 to the private subnet is a recommended AWS best practice.

Option C is incorrect because if you move the webserver to a private subnet, users cannot access it over the public network.

Option D is CORRECT as only the necessary ports should be allowed in the webserver EC2 instances to prevent unexpected traffic.

Please note that the option modifies the SG of the webserver.

For the SG of the database server, it needs to ensure the database port is open.

Option E is incorrect because NAT instances should be present in the public subnet to connect databases to the Internet.

The ideal setup is to ensure that the webserver is hosted in the public subnet so that users on the internet can access it.

The database server can be hosted in the private subnet.

The below diagram from the AWS Documentation shows how this can be set up:

For more information on public and private subnets in AWS, kindly refer to the following URL.

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

The current architecture consists of two public subnets, one for the EC2 web servers and the other for the EC2 database server. The application uses HTTPS protocol.

To add better security boundaries to the resources hosted in this setup, we can make the following changes:

Option B: Consider moving the database server to a private subnet. This would prevent the database server from being directly accessible from the internet, as it would be in a subnet that is not connected to the internet gateway. By doing this, we create a security boundary between the database server and the public internet. This would also allow us to create tighter security group rules for the database server, as only traffic from the web servers would be allowed in.

Option C: Consider moving both the web and database server to a private subnet. By moving both servers to a private subnet, we create a security boundary between the servers and the public internet. This would allow us to further restrict access to the servers and provide better security.

Option D: Only allow the ingress port 443 in the security group of the webserver EC2 instances. By only allowing incoming traffic on port 443, we limit the attack surface of the web servers and prevent potential attackers from accessing other ports on the servers. This would reduce the risk of attacks such as SQL injection or cross-site scripting.

Option E: Consider creating a private subnet and adding a NAT instance to that subnet. By creating a private subnet and adding a NAT instance to it, we can allow the servers in the private subnet to access the internet for updates or patching. This would also create a security boundary between the servers and the internet, preventing direct access to the servers from the internet.

Option A: Assign public IPs to the web servers. Assigning public IPs to the web servers would not add any security boundary to the setup. It would only make the web servers accessible directly from the internet without any restrictions. This would increase the attack surface of the servers and make them vulnerable to attacks.

In conclusion, options B and C would be the best choices to add better security boundaries to the resources hosted in the setup. Option D and E could also add additional security measures, but they are not as effective as moving the servers to a private subnet. Option A would not add any security benefit and should be avoided.