| Question.26 A company has applications that run on Amazon EC2 instances in a VPC. One of the applications needs to call the Amazon S3 API to store and read objects. According to the company’s security regulations, no traffic from the applications is allowed to travel across the internet. Which solution will meet these requirements? (A) Configure an S3 gateway endpoint. (B) Create an S3 bucket in a private subnet. (C) Create an S3 bucket in the same AWS Region as the EC2 instances. (D) Configure a NAT gateway in the same subnet as the EC2 instances. |
26. Click here to View Answer
Answer is (A) Configure an S3 gateway endpoint.
A gateway endpoint is a VPC endpoint that you can use to connect to Amazon S3 from within your VPC. Traffic between your VPC and Amazon S3 never leaves the Amazon network, so it doesn’t traverse the internet. This means you can access Amazon S3 without the need to use a NAT gateway or a VPN connection.
Option B (creating an S3 bucket in a private subnet) is not a valid solution because S3 buckets do not have subnets.
Option C (creating an S3 bucket in the same AWS Region as the EC2 instances) is not a requirement for meeting the given security regulations.
Option D (configuring a NAT gateway in the same subnet as the EC2 instances) is not a valid solution because it would allow traffic to leave the VPC and travel across the Internet.
Reference:
https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
| Question.27 A company is storing sensitive user information in an Amazon S3 bucket. The company wants to provide secure access to this bucket from the application tier running on Amazon EC2 instances inside a VPC. Which combination of steps should a solutions architect take to accomplish this? (Choose two.) (A) Configure a VPC gateway endpoint for Amazon S3 within the VPC. (B) Create a bucket policy to make the objects in the S3 bucket public. (C) Create a bucket policy that limits access to only the application tier running in the VPC. (D) Create an IAM user with an S3 access policy and copy the IAM credentials to the EC2 instance. (E) Create a NAT instance and have the EC2 instances use the NAT instance to access the S3 bucket. |
27. Click here to View Answer
Answers are;
A. Configure a VPC gateway endpoint for Amazon S3 within the VPC.
C. Create a bucket policy that limits access to only the application tier running in the VPC.
A. This eliminates the need for the traffic to go over the internet, providing an added layer of security.
B. It is important to restrict access to the bucket and its objects only to authorized entities.
C. This helps maintain the confidentiality of the sensitive user information by limiting access to authorized resources.
D. In this case, since the EC2 instances are accessing the S3 bucket from within the VPC, using IAM user credentials is unnecessary and can introduce additional security risks.
E. a NAT instance to access the S3 bucket adds unnecessary complexity and overhead.
In summary, the recommended steps to provide secure access to the S3 from the application tier running on EC2 inside a VPC are to configure a VPC gateway endpoint for S3 within the VPC (option A) and create a bucket policy that limits access to only the application tier running in the VPC (option C).
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-private-connection-noauthentication/
| Question.28 An Amazon EC2 administrator created the following policy associated with an IAM group containing several users:  What is the effect of this policy? (A) Users can terminate an EC2 instance in any AWS Region except us-east-1. (B) Users can terminate an EC2 instance with the IP address 10.100.100.1 in the us-east-1 Region. (C) Users can terminate an EC2 instance in the us-east-1 Region when the user’s source IP is 10.100.100.254. (D) Users cannot terminate an EC2 instance in the us-east-1 Region when the user’s source IP is 10.100.100.254. |
28. Click here to View Answer
Answer is (C) Users can terminate an EC2 instance in the us-east-1 Region when the user’s source IP is 10.100.100.254.
0.0/24 , the following five IP addresses are reserved:
0.0: Network address.
0.1: Reserved by AWS for the VPC router.
0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two.
0.3: Reserved by AWS for future use.
0.255: Network broadcast address.
| Question.29 A company’s containerized application runs on an Amazon EC2 instance. The application needs to download security certificates before it can communicate with other business applications. The company wants a highly secure solution to encrypt and decrypt the certificates in near real time. The solution also needs to store data in highly available storage after the data is encrypted. Which solution will meet these requirements with the LEAST operational overhead? (A) Create AWS Secrets Manager secrets for encrypted certificates. Manually update the certificates as needed. Control access to the data by using fine-grained IAM access. (B) Create an AWS Lambda function that uses the Python cryptography library to receive and perform encryption operations. Store the function in an Amazon S3 bucket. (C) Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3. (D) Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon Elastic Block Store (Amazon EBS) volumes. |
29. Click here to View Answer
Answer is (C) Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3.
AWS KMS: Provides a managed service for secure key storage and encryption/decryption operations. This eliminates the need to manage encryption/decryption logic within the application itself.
Customer Managed Key: The company maintains control over the key, ensuring security.
EC2 Role Permissions: Granting permissions to the EC2 role allows the application to use KMS for encryption/decryption without managing individual credentials.
Amazon S3: Offers highly available and scalable storage for the encrypted certificates. S3 is generally cheaper than EBS for data that is not frequently accessed.
A – does not mention storing the encrypted data at all (though that is a requirement), also involves manual action which is surely NOT “least operational effort”
B – Doesn’t make any sense
C – Yes, S3 meets the requirements and is easy to access from containerized app
D – EBS volumes are mounted to the container host, but data is created on containers
| Question.30 A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow Amazon EC2 instances to download software updates. What should the solutions architect do to enable Internet access for the private subnets? (A) Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ. (B) Create three NAT instances, one for each private subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT instance in its AZ. (C) Create a second internet gateway on one of the private subnets. Update the route table for the private subnets that forward non-VPC traffic to the private internet gateway. (D) Create an egress-only internet gateway on one of the public subnets. Update the route table for the private subnets that forward non-VPC traffic to the egress-only Internet gateway. |
30. Click here to View Answer
Answer is (A) Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
To enable Internet access for the private subnets, the solutions architect should create three NAT gateways, one for each public subnet in each Availability Zone (AZ). NAT gateways allow private instances to initiate outbound traffic to the Internet but do not allow inbound traffic from the Internet to reach the private instances.
The solutions architect should then create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ. This will allow instances in the private subnets to access the Internet through the NAT gateways in the public subnets.
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html