Exam ANS-C00 topic 1 question 19 discussion

should be B. check the link: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-proxy.html If you configure a proxy on an Amazon EC2 instance launched with an attached IAM role, ensure that you exempt the address used to access the instance metadata. To do this, set the NO_PROXY environment variable to the IP address of the instance metadata service, 169.254.169.254. This address does not vary.

For those who said D, I doubt you have any experience with web development. A CORS has nothing to do with response code. CORS is a client side security restraint (while involves some server side configurations). In a CORS situation, the server still respond with code 200 regardless of the origin of the request, if otherwise permissible (for example the token is correct). Sever should NEVER, EVER, respond 403 because it's a CORS. 403 means only one thing (if implemented correctly) - your credential is RIGHT, but you don't have permission, i.e. you are authenticated but NOT authorized. To this question, as it clearly said the IAM role is correctly configured on this instance, so it's suggesting IAM machine linked role, and for this to work you would need metadata service to talk to STS and get temp token. Proxy's token will be valid but not authorized. Exactly what 403 means. thus B.

Correct Answer B

Here ask is the Application installed on EC2 instance in new VPC need to access to S3 bucket. As per below link, You can configure Cross-Origin Resource Sharing (CORS) for an S3 bucket if you want that bucket and objects in that bucket to be accessible to web applications in other domains. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html So I guess, answer D is correct.

B is the correct one

C is Correct. https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html#transitive-peering

After reading through again, I think answer is B.

C is the best answer. If you configure a S3 gateway VPC endpoint in the new VPC where the Windows instance is, it will add a more specific route to the S3 prefixes in the same region to the route table. This route will be more preferred so the traffic to S3 will be routed directly and privately via the S3 VPC endpoint. The reason a 403 is being returned is because, when traffic is sent to a proxy, the traffic is source NAT'd to look like its originating from the proxy. Therefore the correct IAM instance role configured on the original Windows instance does not get used. The instance role of the proxy is used as it is the one initiating the connection to S3 on behalf of the Windows instance. There is no way one instance (the proxy) can initiate a request to S3 using the instance role of another instance (the Windows instance).

The problem is IAM role. In order to use a machine associated IAM role, the instance has to have access to instance metadata. Even if you provisioned S3 endpoint, as in C, if the call to get temp token through instance metadata service is forwarded to proxy, you will still get the same token and S3 returned 403.

B is def the correct answer. S3 returning 403 (Access Denied) clearly indicates it is an IAM permission issue. Your application on EC2 gets temp credentials by requesting instance metadata saved at 169.254.169.254. You have to exclude this address from your proxy setting Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-proxy.html It has nothing to do with networking. In addition, s3 gateway endpoint doesn't share across peering VPCs, thus there is no point to adding an endpoint in "common service VPC"

It's a tricky question but I think that the correct answer is C. If you use EC2 within a VPC and S3 the VPC endpoint is a best practice. During the exam I always prefer to follow the best practices :)

Clearly C - Gateway endpoint. VPC endpoint does not traverse Internet or through a NAT instance, VPN connection, or AWS Direct Connect. Source: official study guide, ch 2, pg 46

Answer is B "If you configure a proxy on an Amazon EC2 instance launched with an attached IAM role, ensure that you exempt the address used to access the instance metadata. To do this, set the NO_PROXY environment variable to the IP address of the instance metadata service, 169.254.169.254. This address does not vary."

A. Nope. All traffic is being sent to proxy. Cannot establish if we are even getting there. C. Nope. Possible, as all traffic is being configured to forward to proxy, the local VPCE would never be hit - even if it was configured.d D. Nope. B. Yes. Standard official text book response. Metadata lookup is used to get the role permissions. Application does a lookup on metadata to get the current token associated with the role and uses this to make API calls: TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access Link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

agree it's B. NO_PROXY = 169.254.169.254

I think B because of this artical https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-proxy.html the intence in configured to forward all traffic to a http proxy which means all traffic will always go via the proxy, so an endpoint on the same subnet won't change anything because the EC2 wil continue to forward http traffic to the proxies.

My opinion B is right answer