ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 84 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 84
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the Internet for product updates. The depots and distributions are accessible via third party CDNs by their URLs.
You want to explicitly deny any other outbound connections from your VPC instances to hosts on the internet.
Which of the following options would you consider?

  • A. Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default routes.
  • B. Implement security groups and configure outbound rules to only permit traffic to software depots.
  • C. Move all your instances into private VPC subnets remove default routes from all routing tables and add specific routes to the software depots and distributions only.
  • D. Implement network access control lists to all specific destinations, with an Implicit deny all rule.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by amog at Jan. 12, 2020, 1:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
amog
Highly Voted 3 years, 7 months ago
Answer is A Security group and NACL cannot have URLs in the rules nor does the route
upvoted 14 times
...
amministrazione
Most Recent 8 months, 3 weeks ago
A. Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default routes.
upvoted 1 times
...
SkyZeroZx
1 year, 10 months ago
Selected Answer: A
A. SG/NACL/RT cannot help with URL whitelisting.
upvoted 2 times
...
TigerInTheCloud
2 years, 4 months ago
Selected Answer: A
A is a good solution. Now using managed prefix list, updated regularly through Lamda (usually CDN provides API for getting the IP list), could be a better, more reliable, and cost-efficient solution
upvoted 1 times
...
01037
3 years, 6 months ago
A CDN, so IP is fixed
upvoted 1 times
...
cldy
3 years, 6 months ago
A. SG/NACL/RT cannot help with URL whitelisting.
upvoted 1 times
...
aimar047
3 years, 6 months ago
Answer A seems correct but removing default routes not possible
upvoted 1 times
...
miracle
3 years, 7 months ago
Answer is A. SG is for allow only. NACL is for deny and allow but cannot only via IP or Port. Cannot deny url.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago