Exam ANS-C00 topic 1 question 72 discussion

'LEAST EFFORT' - Good luck with answer A :) Start coding and sledgehammer to crack a walnut or click, click, click, next, done, take your pick.... 'Modifying Your Security Group - If the VPC security group associated with your instance restricts outbound traffic, you must add a rule to allow traffic destined for the AWS service to leave your instance. To add an outbound rule for a gateway endpoint Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. In the navigation pane, choose Security Groups. Select your VPC security group, choose the Outbound Rules tab, and then choose Edit. Select the type of traffic from the Type list, and enter the port range, if required. For example, if you use your instance to retrieve objects from Amazon S3, choose HTTPS from the Type list. For Destination, start entering pl- to display a list of prefix list IDs and names for the available AWS services. Choose the prefix list ID for the AWS service, or enter it. Choose Save.' https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html

Its C. They say that when the SG was made, they looked at the IPs published in the Prefix list at the time. These IPs change hence they recommend never to put IPs manually and use the prefix list instead. Hence, C is the right approach to use the prefix-list so when the IPs change, they will be automatically updated by AWS.

Between A and C. It was working correctly, but now there is a growing number of timeouts. There must be some changes. C is precise. A implies there were changes.

C is indeed the simplest option.

The default outbound rule allows all outbound traffic. If the security group has more restrictive rules than the default outbound rule, then add one of the following: An outbound rule allowing traffic to the ID of the prefix list associated with the gateway VPC endpoint. An outbound rule with Destination set to the VPC endpoint for Amazon S3.

C. Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.

answer is C

C is correct. Using IP Prefix will solve the problem completely as prefix is automatically updated

Since the key target is the LEAST amount of work to do, updating the SG with the latest prefix list manually can only fix one time. And the subscription to AWS public address changes via Amazon SNS with a Lambda function to update the SG needs only one-time effort and after this work, the whole progress will be automatic.

Least amount of work , updating SG whenever IPs change (C) or via automation doing only once(A). It says it was working fine but recently became , so means IPs may change dynamically again. If you sum all manual jobs on SG update and compares one-time job with lambda , I would say certainly A

A seem to be the answer. Although C appears to be correct, specifying CIDR doesn't make any difference address changes at AWS end as JASON file usually consist of CIDRs along with some specific subnets. You can create a SNS topic to for JASON file update and SNS can trigger lambda to change SGs.

Just tried. In the SG you can select the pl-68a54001 as a destination for reaching the S3 gateway endpoint service. It is the same pl-68a54001 in the route-table for the endpoint service

The question clearly states " No internet gateway is configured for the VPC". This suggests no internet connection,so how lambda update of the SG can happen ? Not sure whether A or C is the right choice

https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html C

Answers should be C. Look at section "Modifying your security group" https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html

Correct answer is C: https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html C is LEAST amount of effort. There is S3 gateway endpoint which ip-prefix list can be referenced in SG. Option A can be done, but it's more effort and includes all Amazon public ip addresses changes, not only for S3 Endpoint gateway.

https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/ A is the correct one for me