ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 434 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 434
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has implemented a new security requirement. According to the new requirement, the company must scan all traffic from corporate AWS instances in the company's VPC for violations of the company's security policies. As a result of these scans, the company can block access to and from specific IP addresses.

To meet the new requirement, the company deploys a set of Amazon EC2 instances in private subnets to serve as transparent proxies. The company installs approved proxy server software on these EC2 instances. The company modifies the route tables on all subnets to use the corresponding EC2 instances with proxy software as the default route. The company also creates security groups that are compliant with the security policies and assigns these security groups to the EC2 instances.

Despite these configurations, the traffic of the EC2 instances in their private subnets is not being properly forwarded to the internet.

What should a solutions architect do to resolve this issue?

  • A. Disable source/destination checks on the EC2 instances that run the proxy software.
  • B. Add a rule to the security group that is assigned to the proxy EC2 instances to allow all traffic between instances that have this security group. Assign this security group to all EC2 instances in the VPC.
  • C. Change the VPCs DHCP options set. Set the DNS server options to point to the addresses of the proxy EC2 instances.
  • D. Assign one additional elastic network interface to each proxy EC2 instance. Ensure that one of these network interfaces has a route to the private subnets. Ensure that the other network interface has a route to the internet.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by alexis123456 at Feb. 6, 2024, 3:05 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kejam
Highly Voted 1 year, 2 months ago
Selected Answer: A
Answer A: Proxies like NATs will need SrcDestCheck disabled https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
upvoted 9 times
...
0b43291
Most Recent 5 months, 2 weeks ago
Selected Answer: A
In an Amazon VPC, the source/destination check is a security feature that ensures that an instance cannot be used as a network gateway or router to forward traffic between resources. By default, this check is enabled on all EC2 instances. When you want to use an EC2 instance as a transparent proxy or network appliance to forward traffic between resources, you need to disable the source/destination check on that instance. This allows the instance to receive and forward traffic that is not destined for itself. The other options provided would not resolve the issue: Option B (adding a security group rule) would not enable the proxy instances to forward traffic, as the source/destination check is a separate network configuration. Option C (changing DHCP options) would not affect the ability of the proxy instances to forward traffic. Option D (adding additional network interfaces) is not necessary, as the issue is related to the source/destination check and not the network interface configuration.
upvoted 1 times
...
AzureDP900
5 months, 3 weeks ago
Option A resolves the issue by allowing the traffic of the EC2 instances in their private subnets to be properly forwarded to the internet.
upvoted 1 times
...
chris_spencer
6 months, 2 weeks ago
With A i am missing the route to the internet via a NAT Gateway or NAT Instance via a ENI, with D i miss the scr/dst check
upvoted 1 times
...
ahrentom
7 months, 1 week ago
Selected Answer: D
"the company deploys a set of Amazon EC2 instances in private subnets to serve as transparent proxies." How could a Proxy in a private Subnet communicate with the Internet? So we need a second network card with connection to an IGW. Anwser D
upvoted 2 times
...
Russs99
1 year ago
Selected Answer: D
While disabling security checks might seem like a solution, it's not recommended for production environments as it weakens security. The issue lies in routing, not security
upvoted 2 times
...
TheCloudGuruu
1 year, 2 months ago
Selected Answer: A
Answer is A, proxy
upvoted 1 times
...
HunkyBunky
1 year, 2 months ago
Selected Answer: A
Answer is - A
upvoted 1 times
...
alexis123456
1 year, 2 months ago
Correct Answer is A
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago