Your current setup in AWS consists of the following architecture. 2 public subnets, one subnet which has the EC2 web servers accessed by users across the internet and the other subnet for the EC2 database server. The application uses the HTTPs protocol. Which of the following changes to the architecture would add a better security boundary to the resources hosted in your setup? (Select TWO.)

Answer options:

A.Assign public IPs to the web servers.
B.Consider moving the database server to a private subnet.
C.Consider moving both the web and database server to a private subnet.
D.Only allow the ingress port 443 in the security group of the webserver EC2 instances.
E.Consider creating a private subnet and adding a NAT instance to that subnet.

Answer: B, D
Option A is incorrect because assigning public IPs does not enhance the security of the servers.
Option B is CORRECT as moving Database on EC2 to the private subnet is a recommended AWS best practice.
Option C is incorrect because if you move the webserver to a private subnet, users cannot access it over the public network.
Option D is CORRECT as only the necessary ports should be allowed in the webserver EC2 instances to prevent unexpected traffic. Please note that the option modifies the SG of the webserver. For the SG of the database server, it needs to ensure the database port is open.
Option E is incorrect because NAT instances should be present in the public subnet to connect databases to the Internet.
The ideal setup is to ensure that the webserver is hosted in the public subnet so that users on the internet can access it. The database server can be hosted in the private subnet.
The below diagram from the AWS Documentation shows how this can be set up:
For more information on public and private subnets in AWS, kindly refer to the following URL
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html