Home › AWS Solutions Architect Associate › cloudcomputing › securearchitectures › Which combination implements defense-in-depth ne…
Which combination implements defense-in-depth network segmentation inside a VPC for a public-facing 3-tier web app?
ANo subnets — every workload in one VPC root network with no firewalls
BAll tiers in private subnets with the database accessible from the public internet
CAll EC2 instances in a single public subnet with no security groups
DPublic subnets host the ALB; private subnets host web/app tier behind NAT; an isolated subnet hosts the DB with security groups allowing only the app tier
Answer & Solution
Correct answer: D. Public subnets host the ALB; private subnets host web/app tier behind NAT; an isolated subnet hosts the DB with security groups allowing only the app tier
The standard 3-tier VPC layout: public subnets for ELB, private subnets for app servers (egress via NAT), database subnet locked down with tight security group rules. The other options collapse tiers or expose the DB.
Related questions
Which AWS feature lets you store and retrieve secrets (database passwords, API tokens) witWhich AWS service enables an organisation to enforce a baseline of security configuration A team wants short-lived credentials (15 minutes) for an external CI/CD system running OUTA workload needs to encrypt sensitive S3 objects with keys that the customer creates, rotaAn organisation needs to give a partner read-only access to one specific S3 bucket across Which AWS service is purpose-built to find and classify sensitive data (e.g. PII, credit-cWhich AWS service inspects CloudTrail / VPC flow logs / DNS query logs with ML to detect aAn organisation needs a managed L7 web application firewall to filter SQL injection and cr