A security architected has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary described the architecture:
1) An ALB, internet gateway, and NAT gateway in public subnet.
2) Database, application and web servers in 3 different private subnets.
3) VPC has 2 route tables; one for public subnet and one for all other subnets. The RT for public subnet has a 0.0.0.0/0 route to IGW. The RT for all other subnets has a 0.0.0.0/0 route to the NAT GW. All private subnets can route to each other.
4) Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
5) There are 3 SGs; database, application and web. Each SG limits all inbound and outbound connectivity to the minimum required.
Which of the following accurately reflects the access control mechanisms that should be verified:
A) Outbound SG configuration on DB servers.
Inbound SG configuration on app servers.
Inbound and outbound network ACL configuration on the database subnet.
Inbound and outbound network ACL configuration on the application subnet.
B) Inbound SG configuration on DB servers.
Outbound SG configuration on app servers.
Inbound and outbound network ACL configuration on the database subnet.
Inbound and outbound network ACL configuration on the application subnet.
C) Inbound & outbound SG configuration on DB servers.
Inbound & outbound SG configuration on app servers.
Inbound network ACL configuration on the database subnet.
Outbound network ACL configuration on the application subnet.
D) Inbound SG configuration on DB servers.
Outbound SG configuration on app servers.
Inbound network ACL configuration on the database subnet.
Outbound network ACL configuration on the application subnet.
I think B is correct. Anyone concurs?