The correct answer is Create security group rules using the security group ID as the source or destination.

Using the security group ID as the source or destination in another security group rule ensures that only resources specifically associated with that security group can communicate. This approach enables granular control between tiers (e.g., only allow traffic from the application tier security group to the database tier), supporting the principle of least privilege while remaining scalable and dynamic.

Create security group rules using the instance ID as the source or destination is incorrect because security groups do not support referencing EC2 instance IDs directly in rules. Rules must refer to IP addresses, CIDR blocks, or security group IDs.

Create security group rules using the VPC CIDR blocks as the source or destination is too broad. This approach allows communication from any instance within the VPC, which does not satisfy least privilege requirements.

Create security group rules using the subnet CIDR blocks as the source or destination offers more control than using the entire VPC CIDR, but it is still too permissive, especially in environments where multiple unrelated resources may reside in the same subnet.

Why this question matters: It assesses your understanding of how to use security groups to enforce the principle of least privilege between application tiers in a cloud environment. Proper segmentation and access control are vital for minimizing risk and limiting potential attack vectors.

Tip: When isolating traffic between application layers (such as web app DB), referencing security group IDs is a best practice to ensure only the intended EC2 instances can communicate, without relying on IP-based rules that may become outdated or misconfigured.

Full AWS Practitioner Certification Question