AWS Certified Database – Specialty – Question136

A company developed a new application that is deployed on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances use the security group named sg-application-servers. The company needs a database to store the data from the application and decides to use an Amazon RDS for MySQL DB instance. The DB instance is deployed in a private DB subnet.
What is the MOST restrictive configuration for the DB instance security group?

A.
Only allow incoming traffic from the sg-application-servers security group on port 3306.
B. Only allow incoming traffic from the sg-application-servers security group on port 443.
C. Only allow incoming traffic from the subnet of the application servers on port 3306.
D. Only allow incoming traffic from the subnet of the application servers on port 443.

Correct Answer: B