Secure Setup for Hosting a Web Application on AWS

Ensure Secure Setup for Hosting a Web Application on AWS

Prev Question Next Question

Question

You have planned to host a web application on AWS.

You create an EC2 Instance in a public subnet that needs to connect to an EC2 Instance that will host an Oracle database.

Which steps would ensure a secure setup? (SELECT TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B and C.

The best and most secure option is to place the database in a private subnet.

The below diagram from AWS Documentation shows this setup.

Also, you ensure that access is not allowed from all sources but only from the web servers.

Option A is incorrect because DB instances are placed in Private subnets and allowed to communicate with web servers in the public subnet as per the best practice guidelines.

Option D is incorrect because allowing all incoming traffic from the Internet to the DB instance is a security risk.

For more information on this type of setup, please refer to the below URL:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
198.51.
198.51]
198.51.

\t

100.1 IP) 10.0.0.5 ea
02 ecg gaa |
100.3 (Elastic IP) 10.0.0.7 NAT gateway

‘Web servers 198 51.100.4 (Elastic IP)

Public subnet

Custom route table

Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-id

a

Main route table

Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-gateway-id

10.0.0.0/16

Region

When hosting a web application on AWS, it's essential to ensure that the setup is secure. One of the critical aspects of security is securing the connection between the web server and the database server. The following steps would ensure a secure setup:

  1. Place the EC2 instance that will host the Oracle database in a private subnet:

A private subnet is a subnet that doesn't have a route to the Internet Gateway. This means that instances in a private subnet can't be accessed directly from the internet, which provides an additional layer of security.

  1. Create a database security group that allows incoming traffic only from the Webserver's security group:

A security group acts as a virtual firewall for your instances, controlling inbound and outbound traffic. By creating a database security group that only allows incoming traffic from the web server's security group, you ensure that only the web server can communicate with the database server.

Therefore, options B and C are the correct answers.

Option A is incorrect because it's not recommended to place the database server and web server in the same public subnet. By doing so, you increase the attack surface because both servers are accessible from the internet.

Option D is incorrect because allowing incoming traffic from 0.0.0.0/0 means that anyone can access the database server, which is not secure. You should restrict access to the database server to only the necessary entities.