SOA-C03 Question #55: Real Exam Question with Answer & Explanation

Question

A company's application servers in AWS account 111122223333 use a security group sg- 1234abcd. They need to access a database hosted in account 444455556666. The VPCs are connected using a VPC peering connection (pcx-b04deed9). A CloudOps engineer must configure the database's security group to allow new connections only from the application servers. What should the engineer do?

Options

• AAdd an inbound rule to the database's security group. Reference 111122223333/sg-1234abcd as
• BAdd an inbound rule to the database's security group. Reference pcx-b04deed9/sg-1234abcd as
• CAdd an inbound rule to the database's security group. Reference sg-1234abcd as the source.
• DAdd an inbound rule to the database's security group. Reference 444455556666/sg-1234abcd as

Explanation

According to AWS Cloud Operations and VPC Networking documentation, when VPCs are peered, security groups can reference peer account security groups directly to restrict traffic This feature allows specifying the security group ID (sg-1234abcd) from the source account (111122223333) in the target database's security group inbound rule. AWS automatically validates that the VPCs are connected through an existing VPC peering connection and that mutual permissions are properly configured. You do not prefix the security group ID with the account or peering connection (Options A and B), and using the destination account ID (Option D) is incorrect because it represents the database side, not the source. Hence, the correct configuration is Option C, which references the application servers' security group directly for precise, least-privilege access control.

No community discussion yet for this question.