Download Latest DBS-C01 Questions

The correct answer is A. Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.

The explanation is as follows:

• To allow the reporting application to access the production database, the database administrator needs to configure the security group rules for both the database and the EC2 instance. The security group rules must allow traffic between the peered VPCs on the port that the database uses, which is 5432 for PostgreSQL1.
• Option A is correct because it adds an inbound rule to the database security group that allows access from the developer account VPC CIDR on port 5432. This means that the database can accept connections from the EC2 instance in the peered VPC. It also adds an outbound rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432. This means that the EC2 instance can initiate connections to the database in the peered VPC.
• Option B is incorrect because it adds an outbound rule to the database security group, which is not necessary. The database does not need to initiate connections to the EC2 instance, only accept them. It also does not add an inbound rule to the EC2 security group, which is not required. The EC2 instance does not need to accept connections from the database, only initiate them.
• Option C is incorrect because it adds an inbound rule to the database security group that allows access from the developer account VPC CIDR on all TCP ports. This is too permissive and violates the principle of least privilege2. It also adds an inbound rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432. This is unnecessary and does not help with connectivity.
• Option D is incorrect because it adds an outbound rule to the EC2 security group that allows access to the production account VPC CIDR on all TCP ports. This is too permissive and violates the principle of least privilege2. It also does not add an outbound rule to the database security group, which is not needed.

References: 1: [Working with PostgreSQL and pgAdmin - Amazon Aurora] 2: [Security best practices in IAM - AWS Identity and Access Management]

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-replicas-adding.html

https://aws.amazon.com/getting-started/hands-on/aurora-cloning-backtracking/

"Cloning an Aurora cluster is extremely useful if you want to assess the impact of changes to your database, or if you need to perform workload-intensive operations—such as exporting data or running analytical queries, or simply if you want to use a copy of your production database in a development or testing environment. You can make multiple clones of your Aurora DB cluster. You can even create additional clones from other clones, with the constraint that the clone databases must be created in the same region as the source databases.