Exam AWS Certified Data Analytics - Specialty topic 1 question 100 discussion

Exam question from Amazon's AWS Certified Data Analytics - Specialty

Question #: 100
Topic #: 1

[All AWS Certified Data Analytics - Specialty Questions]

A central government organization is collecting events from various internal applications using Amazon Managed Streaming for Apache Kafka (Amazon MSK).
The organization has configured a separate Kafka topic for each application to separate the data. For security reasons, the Kafka cluster has been configured to only allow TLS encrypted data and it encrypts the data at rest.
A recent application update showed that one of the applications was configured incorrectly, resulting in writing data to a Kafka topic that belongs to another application. This resulted in multiple errors in the analytics pipeline as data from different applications appeared on the same topic. After this incident, the organization wants to prevent applications from writing to a topic different than the one they should write to.
Which solution meets these requirements with the least amount of effort?

A. Create a different Amazon EC2 security group for each application. Configure each security group to have access to a specific topic in the Amazon MSK cluster. Attach the security group to each application based on the topic that the applications should read and write to.
B. Install Kafka Connect on each application instance and configure each Kafka Connect instance to write to a specific topic only.
C. Use Kafka ACLs and configure read and write permissions for each topic. Use the distinguished name of the clients' TLS certificates as the principal of the ACL.
D. Create a different Amazon EC2 security group for each application. Create an Amazon MSK cluster and Kafka topic for each application. Configure each security group to have access to the specific cluster.

Show Suggested Answer

Suggested Answer: B 🗳️

by VikG12 at May 3, 2021, 7:05 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

AjithkumarSL

Highly Voted 3 years, 8 months ago

Looks like C is the right option. https://docs.aws.amazon.com/msk/latest/developerguide/msk-acls.html

upvoted 31 times

...

VikG12

Highly Voted 3 years, 9 months ago

C should be the answer.

upvoted 8 times

...

chinmayj213

Most Recent 1 year, 4 months ago

Option B: While Kafka Connect itself doesn't directly "bind" to a topic, you can configure connectors to interact with specific MSK topics in various ways: 1. Connector Configuration: Each connector type has specific configuration options that define the source or sink topics it interacts with. For source connectors, you'll typically specify the topic name where the connector will read data from. This could be done through properties like topics or source.topics depending on the connector type. For sink connectors, you'll typically specify the topic name where the connector will write data to. This could be done through properties like topic or sink.topics based on the connector type.

upvoted 1 times

...

pk349

2 years, 2 months ago

C: I passed the test

upvoted 1 times

...

cloudlearnerhere

2 years, 8 months ago

C is the correct as per doc Apache Kafka has a pluggable authorizer and ships with an out-of-box authorizer implementation that uses Apache ZooKeeper to store all ACLs. Amazon MSK enables this authorizer in the server.properties file on the brokers. For Apache Kafka version 2.4.1, the authorizer is AclAuthorizer. For earlier versions of Apache Kafka, it is SimpleAclAuthorizer. Option A is wrong as the Security group cannot be used to control which instance can access which topic. Option B is wrong as it does not restrict access and the applications can still push the data to other topics. Option D is wrong as it does not meet the least amount of effort requirement.

upvoted 5 times

...