Secure Access for AWS Web Application Architecture

Secure Access Configuration

Prev Question Next Question

Question

Your team is planning to develop and deploy an application onto AWS with the following architecture. · A set of EC2 Instances in a VPC hosting the web tier · A database hosted using the AWS RDS MySQL instance Which of the following should ideally be set so that only HTTPS users can access the web application and for the web application to access the database? (Choose 2)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

Option A is correct because port 443 will allow only HTTPS traffic from all sources.

Option D is correct because the Database server Security Group must allow traffic from the source Web server on port 3306.

Option B is invalid since the database should not be exposed to the Internet.

Option C is invalid since the database security group should allow incoming traffic on port 3306.

Please refer to the below URL and go to the Security section for more information on this scenario.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
WebServerSG: Recommended Rules

Inbound

Source Protocol Port

Range

0.0.0.0/0 TCP 80
0.0.0.0/0 TCP 443

Comments

DBServerSG: Recommended Rules

Inbound

Source

The ID of your WebServerSG
security group

The ID of your WebServerSG
security group

Protocol Port

TCP

TCP

Range
1433

3306

Allow inbound HTTP access to the web servers from any IPv4 address.

Allow inbound HTTPS access to the web servers from any IPv4 address.

Comments

Allow inbound Microsoft SQL Server access from the web servers associated with
the WebServerSG security group.

Allow inbound MySQL Server access from the web servers associated with the
WebServerSG security group.

To ensure that only HTTPS users can access the web application and for the web application to access the database, the following steps should be taken:

  1. Create a security group for the web EC2 instances: A security group acts as a virtual firewall for the instances in the VPC, controlling inbound and outbound traffic. To restrict access to the web tier to only HTTPS users, an inbound security group rule should be created for the web EC2 instances, allowing traffic from the source of 0.0.0.0/0 (which means any IP address) and port 443 (which is the default port for HTTPS traffic).

Therefore, answer A is correct.

  1. Create a security group for the database RDS instance: Similar to the web tier, a security group should also be created for the database RDS instance. However, instead of allowing traffic from any IP address on port 443, traffic should only be allowed from the web tier. An inbound security group rule should be created for the database layer allowing traffic from the source of the web layer on port 3306 (which is the default port for MySQL traffic).

Therefore, answer D is correct.

Option B is not correct because allowing traffic from any IP address to the database layer on port 443 would open up a security vulnerability, as it would allow anyone to connect to the database.

Option C is also not correct because allowing traffic from the web tier to the database on port 3306 would expose the database to potential security threats from the internet.

In summary, the correct answers are A and D.