Exam ANS-C00 topic 1 question 13 discussion

It should be BC. VPC endpoint would provide S3 access and Squid proxy on a NAT instance can be used to restrict access to particular URLs.

Correct Answer CD

BC. we have deployed same architecture :)

NAT Gateway does not allow create a whitelist, so a proxy (squid) is necessary here. in order to access S3 in the "same region", a VPC endpoint (Gateway endpoint). So, BC are the correct answers

answer is BC

B and C, but so far an AWS firewall should do it

BC. Squid proxy on a NAT instance can be used to restrict access to particular URLs. VPC endpoint Gateway would provide S3 access.

BC. A is wrong because it says accessing S3 through any URLs. Potentially, you could create a DNS record of any name and point to the S3. In that case, it will be dropped.

How/why would you run a nat instance and a nat gateway?

B,C for me

Band C for me

Answer: B,C A - incorrect - missing region: s3.<region>.amazonaws.com B - correct - EC2->VPC Endpoint->S3 bucket (S3 endpoints can access buckets in specified region only. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html) C - correct - EC2->NAT Instance->Squid Proxy+Whitelists/Blacklists->Internet->Allowed sites/URLs D - incorrect - doesn't enable whitelisting, but allows all internet access E - incorrect - doesn't enable whitelisting on URLs, also can't deny anything (use NACLs) - both require code to constantly update allow, allow/deny rules

B and D

B and D "The instance requite access to internet"

B, C are the correct answers. https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/

Correct ans for me C & D C - squid proxy permit connections to whitelisted domains that you define. https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/ D-Instance is in a private subnet and requires access to the interent.

it's B & C