AWS Web Application Hosting: Secure Setup

Connect EC2 Instance to Oracle Database: Secure Configuration

Prev Question Next Question

Question

You have planned to host a web application on AWS.

You create an EC2 Instance in a public subnet that needs to connect to an EC2 Instance that will host an Oracle database.

Which steps would ensure a secure setup? (SELECT TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B and C.

The best and most secure option is to place the database in a private subnet.

The below diagram from AWS Documentation shows this setup.

Also, you ensure that access is not allowed from all sources but only from the web servers.

Option A is incorrect because DB instances are placed in Private subnets and allowed to communicate with web servers in the public subnet as per the best practice guidelines.

Option D is incorrect because allowing all incoming traffic from the Internet to the DB instance is a security risk.

For more information on this type of setup, please refer to the below URL:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
198.51.
198.51]
198.51.

\t

100.1 IP) 10.0.0.5 ea
02 ecg gaa |
100.3 (Elastic IP) 10.0.0.7 NAT gateway

‘Web servers 198 51.100.4 (Elastic IP)

Public subnet

Custom route table

Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-id

a

Main route table

Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-gateway-id

10.0.0.0/16

Region

The most secure way to host a web application on AWS and ensure secure communication between the web server and the database is to place the web server in a public subnet and the database server in a private subnet. This will ensure that the database server is not directly accessible from the internet.

Therefore, options A and D are not correct.

The correct steps to ensure a secure setup are:

B. Place the EC2 instance that will host the Oracle database in a private subnet: A private subnet is not directly accessible from the internet, which provides an additional layer of security. The web server in the public subnet can still communicate with the database server using private IP addresses, but the database server is not exposed to the public internet.

C. Create a database Security group which allows incoming traffic only from the Web server's security group: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. By creating a security group for the database server, you can ensure that only traffic from the web server's security group is allowed to access the database server. This minimizes the attack surface and reduces the risk of unauthorized access to the database.

Therefore, options B and C are the correct choices.