A SysOps Administrator has received a request to enable access logging for a Network Load Balancer and is setting up an Amazon S3 bucket to store the logs. What are the MINIMUM requirements for the S3 bucket? (Choose two.)
A.
The bucket must be in the same Region as the Network Load Balancer.
B.
The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket.
A. The bucket must be in the same Region as the Network Load Balancer.
B. The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket.
Requirements
The bucket must be located in the same region as the load balancer.
Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. The following is an example policy.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
"Elastic Load Balancing supports the following types of load balancers: Application Load Balancers, Network Load Balancers, and Classic Load Balancers."
A. The bucket must be in the same Region as the Network Load Balancer:
To store access logs for a Network Load Balancer, the S3 bucket must be in the same AWS Region as the Network Load Balancer. S3 buckets are specific to AWS Regions, and the logs cannot be stored in a bucket located in a different Region.
B. The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket:
For the Network Load Balancer to write access logs to the S3 bucket, the bucket must have a bucket policy that grants the necessary permissions to Elastic Load Balancing service to perform the write operation. The bucket policy should include the required "s3:PutObject" permission for the AWS service principal associated with Elastic Load Balancing.
If you enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3) for your S3 bucket, each access log file is automatically encrypted before it is stored in your S3 bucket and decrypted when you access it. You do not need to take any action as there is no difference in the way you access encrypted or unencrypted log files.
A. The bucket must be in the same Region as the Network Load Balancer.
B. The bucket must have a bucket policy that grants Elastic Load Balancing permissions to write the access logs to the bucket.
Seem correct
According to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html,
Requirements
1. The bucket must be located in the same Region as the load balancer.
2. Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
3. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.
Therefore i'm choosing A &B considering the 3rd point above. C doesn't specify the encryption type . SSE-S3 is required for encryption
AWS Doc:
“ Requirements
The bucket must be located in the same region as the load balancer.
The prefix that you specify must not include AWSLogs. We add the portion of the file name starting with AWSLogs after the bucket name and prefix that you specify.
Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. The following is an example policy.”
I would pick AB because option C doesn’t specify encryption type!
Ans: A, B
C is not correct since Each access log file is automatically encrypted using SSE-S3 before it is stored in your S3 bucket and decrypted when you access it.
No need to enable encryption at bucket level.
A and C
A. The bucket must be in the same Region as the Network Load Balancer.
C. The bucket must have encryption enabled.
Why B is wrong:
Bucket policy needs to allow access to "Service": "delivery.logs.amazonaws.com", and not NLB.
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
It is A & C
B. is wrong be cause it is saying grant ELB permissions to write to the bucket. The only thing you need is for the bucket to have write permissions.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
Requirements
1.The bucket must be located in the same region as the load balancer.
2. Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
3. The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket.
A, B
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
Requirements
The bucket must be located in the same region as the load balancer.
Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. The following is an example policy.
A and B :
- The bucket must be located in the same region as the load balancer.
-The bucket must have a bucket policy that grants permission to write the access logs to your bucket.
Tricky by B option. AC
Requirements (bucket)
- The bucket must be located in the same region as the load balancer.
- Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
- The bucket must have a bucket policy that grants permission to write the access logs to your bucket.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nicat
Highly Voted 2 years, 9 months agoSHoKMaSTeR
2 years, 8 months agodishu2511
2 years, 9 months agoImranR
2 years, 7 months agogretch
2 years, 8 months agoPhil31
2 years, 8 months agoJGD
Highly Voted 2 years, 8 months agoalbert_kuo
Most Recent 11 months agoRicardoD
2 years, 7 months agolemist
2 years, 7 months agojuanY
2 years, 7 months agoabhishek_m_86
2 years, 7 months agomoon_lee
2 years, 7 months agojackdryan
2 years, 7 months agosmartassX
2 years, 7 months agozch
2 years, 8 months agotifoz
2 years, 8 months agoiamsajal
2 years, 8 months agoiamsajal
2 years, 8 months agoJimmy5
2 years, 8 months agokopper2019
2 years, 8 months agokopper2019
2 years, 8 months agoyigido
2 years, 8 months agogretch
2 years, 8 months agogofavad926
2 years, 8 months ago