ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 860 discussion

Exam question from Amazon's AWS-SysOps
Question #: 860
Topic #: 1
[All AWS-SysOps Questions]

A SysOps Administrator must remove public IP addresses from all Amazon EC2 instances to prevent exposure to the internet. However, many corporate applications running on those EC2 instances need to access Amazon S3 buckets. The Administrator is tasked with allowing the EC2 instances to continue to access the S3 buckets.
Which solutions can be used? (Choose two.)

  • A. Deploy a NAT gateway, and configure the route tables accordingly in the VPC where the EC2 instances are running.
  • B. Modify the network ACLs with private IP addresses in the routes to connect to Amazon S3.
  • C. Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3.
  • D. Set up AWS Direct Connect, and configure a virtual interface between the EC2 instances and the S3 buckets.
  • E. Set up a VPC endpoint in the VPC where the EC2 instances are running, and configure the route tables accordingly.
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
by ddj99121 at Nov. 2, 2020, 2:39 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mrphuongbn
Highly Voted 2 years, 1 month ago
Really? network ACLs?? This question needs the way to connect between S3 bucket & the EC2, not limit S3 Bucket Access that bucket policy does. A&E are correct.
upvoted 10 times
...
HeliosABC
Highly Voted 2 years, 1 month ago
A,E this is correct for access s3 from private subnet
upvoted 7 times
...
Zoroter
Most Recent 9 months, 3 weeks ago
My problem with A is that RT are per subnet, not VPC, other way default NACLs has explicit allow, also why everyone is ignoring SG, its albo possibile to allow every ec2 sgs for outbound 80 TCP traffic. IDK weird question, would be much better if there were subnets in A specifed but not VPC
upvoted 1 times
...
szl0144
1 year, 10 months ago
Selected Answer: AE
A E is correct
upvoted 1 times
...
abhishek_m_86
2 years ago
A. Deploy a NAT gateway, and configure the route tables accordingly in the VPC where the EC2 instances are running. E. Set up a VPC endpoint in the VPC where the EC2 instances are running, and configure the route tables accordingly. Seem correct, as the connectivity between EC2 and S3 is not defined in the question. The above two shall help build that connectivity securely
upvoted 2 times
...
kkdd
2 years ago
A and E is correct.
upvoted 1 times
...
NivNZ
2 years ago
Verify that the EC2 instance has connectivity to S3 endpoints. The instance must be one of the following: EC2 instance with a public IP address and a route table entry with the default route pointing to an Internet Gateway. Private EC2 instance with a default route through a NAT gateway. Private EC2 instance with connectivity to Amazon S3 using a Gateway VPC endpoint. Above info from https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/ Therefore, A & E are correct
upvoted 1 times
ThomasY
2 years ago
"prevent exposure to the internet" A will be conflict with above statement. I think ans are BE.
upvoted 1 times
...
...
[Removed]
2 years ago
A&E are correct: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/ "Private EC2 instance with a default route through a NAT gateway. Private EC2 instance with connectivity to Amazon S3 using a Gateway VPC endpoint."
upvoted 2 times
...
jpush
2 years ago
definitely BE, it says restrict public IP addresses, the way to do this is to specify an IP range using NACL. and E for VPC endpoint to the s3
upvoted 1 times
...
jackdryan
2 years ago
I'll go with A,E
upvoted 1 times
...
weril
2 years ago
AE is correct - one keep internet connection from inside out and second is using vpc endpoint approach
upvoted 1 times
...
ImranR
2 years, 1 month ago
B & E are correct
upvoted 1 times
...
ddj99121
2 years, 1 month ago
Ans: B & E
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago