ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 92 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 92
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has two AWS accounts, each containing one VPC. The first VPC has a VPN connection with its corporate network. The second VPC, without a VPN, hosts an Amazon Aurora database cluster in private subnets. Developers manage the Aurora database from a bastion host in a public subnet as shown in the image.

A security review has flagged this architecture as vulnerable, and a Security Engineer has been asked to make this design more secure. The company has a short deadline and a second VPN connection to the Aurora account is not possible.
How can the Security Engineer securely set up the bastion host?

  • A. Move the bastion host to the VPC with VPN connectivity. Create a VPC peering relationship between the bastion host VPC and Aurora VPC.
  • B. Create an SSH port forwarding tunnel on the Developer's workstation to the bastion host to ensure that only authorized SSH clients can access the bastion host.
  • C. Move the bastion host to the VPC with VPN connectivity. Create a cross-account trust relationship between the bastion VPC and Aurora VPC, and update the Aurora security group for the relationship.
  • D. Create an AWS Direct Connect connection between the corporate network and the Aurora account, and adjust the Aurora security group for this connection.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Edgecrusher77 at March 22, 2021, 12:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Edgecrusher77
Highly Voted 3 years, 8 months ago
I would say A
upvoted 22 times
justfmm
3 years, 5 months ago
Is A considered as Edge to Edge routing ? You have a VPC peering connection between VPC A and VPC B. VPC A also has a Site-to-Site VPN connection or an AWS Direct Connect connection to a corporate network. Edge to edge routing is not supported; you cannot use VPC A to extend the peering relationship to exist between VPC B and the corporate network. For example, traffic from the corporate network can’t directly access VPC B by using the VPN connection or the AWS Direct Connect connection to VPC A. https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html i might go with C.
upvoted 2 times
yqoswlyilylqw
3 years, 5 months ago
It isn't edge to edge routing as the Corp user would jump to the Bastion Host and then route to the Aurora database from the Bastion host. Edge to edge would be a Corp user trying to access the Aurora Database directly from their Corp network. I would say A.
upvoted 9 times
...
...
...
ChinkSantana
Highly Voted 3 years, 8 months ago
Answer should be A from an Architecture perspective. Move the Bastion Host to the VPC on the left. Create a VPC peering between both VPC. Access Bastion host from Corporate network. Manage Aurora DB cluster from Bastion host.
upvoted 6 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
Correct answer: A
upvoted 1 times
...
OCHT
2 years ago
Selected Answer: A
Option B isn't the best choice because it doesn't address the main architectural issue - the bastion host being publicly accessible. SSH port forwarding tunnel can secure the connection but the host is still reachable from the public internet. Option C is not feasible as AWS does not support cross-account trust relationships at the VPC level. It's possible to establish cross-account trust at the IAM level, but it won't help secure the connection to the Aurora DB. Option D isn't the best choice because setting up Direct Connect would not be the most effective or cost-efficient solution for this problem. Direct Connect also takes a significant amount of time to set up, which may not align with the short deadline stated in the question.
upvoted 2 times
...
ITGURU51
2 years ago
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. A
upvoted 1 times
...
patou
2 years, 1 month ago
Selected Answer: A
This is clearly A
upvoted 1 times
...
Dara2315
2 years, 6 months ago
Selected Answer: A
Recommend answer
upvoted 1 times
...
mosquitos
2 years, 6 months ago
Selected Answer: A
I would say A
upvoted 1 times
...
sapien45
2 years, 11 months ago
Selected Answer: A
Moving the bastion host to the VPN VPC means that the bastion host could be hosted on a private VPC, no longer any need to open port 22 to the internet
upvoted 2 times
...
lotfi50
3 years, 3 months ago
Selected Answer: A
A is good answer
upvoted 1 times
...
alghoundar
3 years, 4 months ago
A for me .
upvoted 1 times
...
kiev
3 years, 7 months ago
A, all day long.
upvoted 3 times
...
Ayusef
3 years, 7 months ago
It maybe ...C ....guys. The VPCs re in different accounts and you need cross account access to setup a peering connections. This is a tricky one that seems simple at first glance. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html
upvoted 2 times
ChauPhan
3 years, 7 months ago
There is no such cross-account trust relationship between the VPCs. You can setup VPC peering between 2 AWS accounts' VPCs (cross-account)
upvoted 5 times
...
...
sanjaym
3 years, 8 months ago
Ans: A
upvoted 2 times
...
eskimolander
3 years, 8 months ago
Although I have doubts as C is also valid as you are probably securing it more by including the IP address. However, it depends on the number of developers and which one would be quicker. I suspect that C.
upvoted 1 times
...
eskimolander
3 years, 8 months ago
A, as plus the developers were already using ssh via the bastion and the question is to make it more secure.
upvoted 4 times
...
Ale_Ik
3 years, 8 months ago
A - Bastion accessed via VPN, then connects to Aurora
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel