AWS Certified Security – Specialty SCS-C01 – Question294

A company is running an Amazon RDS Multi-AZ DB instance inside a VPC. The DB instance is using two subnets that provide a default route to the internet through a NAT gateway.
The company also has application servers that run on Amazon EC2 instances that use the RDS database.
The company has deployed these EC2 instances into two other private subnets within the same VPC.
These EC2 instances use a default route to access the internet through the same NAT gateway. Each subnet in the VPC uses its own unique route table.
After a recent security audit, the company added a new security requirement. The DB instance must never be able to connect to the internet. A security engineer must make this change immediately without disrupting the application servers' network traffic.
How can the security engineer meet these requirements?

A.
Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
B. Configure the DB instance's inbound network ACL to deny traffic from the security group ID of the NAT gateway.
C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
D. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Correct Answer: B