AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An operations engineer is troubleshooting a Java application running on an EC2 instance in a private subnet that suddenly fails to connect to an Amazon RDS for MySQL database in the same VPC. The instance is attached to security group sg-app, whose only outbound rules allow TCP ports 80 and 443 to 0.0.0.0/0. The database is attached to sg-db, whose inbound rules allow TCP 3306 from sg-app. Network ACLs and route tables already permit all traffic between the subnets. Which change will most effectively restore connectivity while adhering to the principle of least privilege?
Associate both the EC2 instance and the database with the default security group.
Add an outbound rule to sg-app that allows TCP 3306 with sg-db as the destination.
Broaden sg-db's inbound rule to allow TCP 3306 from 0.0.0.0/0.
Add an inbound rule to sg-app that allows TCP 3306 from sg-db.
The initial client connection originates from the EC2 instance, so sg-app must allow egress on the destination port. Because sg-app's outbound rules currently restrict traffic to ports 80 and 443, the SYN packet for MySQL (TCP 3306) is dropped before it ever reaches sg-db. Adding an outbound rule that permits TCP 3306 with sg-db (or its CIDR) as the destination allows the connection to be established, while still limiting other outbound traffic. Opening sg-db to 0.0.0.0/0 or disabling both groups would grant unnecessary access, and adding an inbound rule to sg-app is irrelevant because the instance is the initiator and stateful rules already cover return traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in the context of security groups?
Open an interactive chat with Bash
How do security groups differ from network ACLs in AWS?
Open an interactive chat with Bash
What are the implications of using 0.0.0.0/0 in a security group rule?
Open an interactive chat with Bash
Why does sg-app need an outbound rule for TCP 3306?
Open an interactive chat with Bash
What does 'adhering to the principle of least privilege' mean in this context?
Open an interactive chat with Bash
Why don’t we need to modify sg-db's inbound rules for this scenario?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .