A company runs an Amazon RDS for MySQL DB instance in a VPC. Security requirements mandate that only specific EC2 instances in the same VPC can connect to the database. The security group attached to the RDS instance currently allows inbound traffic on port 3306 from 0.0.0.0/0. Which combination of steps should a database specialist take to meet the security requirement without impacting existing application connectivity? (Choose two.)
Trap 1: Modify the network ACL for the DB subnet to allow inbound port 3306…
Network ACLs are stateless and require separate inbound and outbound rules; security groups are more appropriate for this use case.
Trap 2: Modify the DB subnet group to place the RDS instance in a public…
Placing the database in a public subnet is insecure and unnecessary; subnet group changes do not affect security group rules.
Trap 3: Add an inbound rule to the RDS security group allowing traffic from…
This would still allow any resource in the VPC, which is broader than needed.
- A
Modify the network ACL for the DB subnet to allow inbound port 3306 from the EC2 instance's private IP.
Why wrong: Network ACLs are stateless and require separate inbound and outbound rules; security groups are more appropriate for this use case.
- B
Remove the inbound rule for 0.0.0.0/0 on the RDS security group.
Removing the overly permissive rule is necessary to restrict access.
- C
Add an inbound rule to the RDS security group referencing the security group ID of the EC2 instances.
Referencing the EC2 security group allows traffic only from instances using that security group, following best practices.
- D
Modify the DB subnet group to place the RDS instance in a public subnet with a route to the EC2 instance.
Why wrong: Placing the database in a public subnet is insecure and unnecessary; subnet group changes do not affect security group rules.
- E
Add an inbound rule to the RDS security group allowing traffic from the VPC CIDR on port 3306.
Why wrong: This would still allow any resource in the VPC, which is broader than needed.