AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company is deploying a three-tier web application on AWS. The architecture consists of a public-facing Application Load Balancer (ALB), a web tier in public subnets, an application tier in private subnets, and an Amazon RDS for PostgreSQL instance in isolated private subnets. The security team requires a multi-layered security strategy:
- Protect the web application against common exploits such as SQL injection and cross-site scripting (XSS).
- Ensure that traffic between the application tier and the database never traverses the public internet.
- Provide a centralized dashboard that aggregates security findings from multiple AWS services.
- Restrict inbound traffic to the application tier so that it only comes from the web-tier instances.
- Explicitly deny all outbound traffic from the database subnets to prevent data exfiltration.
Which combination of AWS services and configurations meets all of these requirements?
Use AWS Shield Advanced and security groups to control traffic between tiers, connect the application tier to the database using VPC peering in a separate VPC, and use Amazon GuardDuty as the centralized dashboard.
Use network ACLs to allow web-tier-to-app-tier traffic, a NAT gateway for the application tier to reach the database, AWS Shield Standard for DDoS protection, and Amazon GuardDuty for threat detection.
Attach AWS WAF to the ALB. Use security groups referencing the web-tier group, but allow the database subnets to rely on security-group rules only. Route database traffic through a NAT gateway. Enable AWS Security Hub.
Attach AWS WAF to the ALB. Configure security groups that reference the web-tier security group for application-tier ingress. Deploy the RDS instance in private subnets with Public accessibility set to "No." Apply a network ACL that denies all outbound traffic from the database subnets. Enable AWS Security Hub for centralized findings.