Exam ANS-C00 topic 1 question 66 discussion

NAT is not require

I would go for A. Very helpful link. https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-vpc-subnet.html

I tempt to agree with B. KMS is reachable either over Internet or Private Link VPC endpoint. Since we don't have an option to use public subnet, but still need to access KMS, given that endpoint is not mentioned, NAT GW is the only possible scenario.

Correct is B as mentioned multiple times - requirement comes from the KMS - EMR must reach it either via VPC interface endpoint from a private subnet (not mentioned) or via NAT GW from a private subnet (answer B)

The only way you can use KMS without internet access is privateLink (interface endpoint). This isn't an option in any of the answers. A and C don't allow internet access, in that case the data can't be encrypted with KMS, so they're out. D is ok, but there's an existing VPC, and I see no added value in a new one. So I'm going with B.

Looks like 'C'

Ans: B Refer - https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-vpc-subnet.html "You can launch Amazon EMR clusters in both public and private VPC subnets. This means you do not need internet connectivity to run an Amazon EMR cluster; however, you may need to configure network address translation (NAT) and VPN gateways to access services or resources located outside of the VPC, for example in a corporate intranet or public AWS service endpoints like AWS Key Management Service." The question says - Amazon EMR service to handle sensitive data....before uploading to S3....encrypt using AWS KMS. To access AWS KMS, NAT is required!

Option A - no mention of VPN, but VPN already exist to the current VPS. If we assume it is in AWS VPC already, then it would be simpler to use the existing VPN and just add S3 endpoint. In terms of security there will be no difference with C. I would go with A.

Correct answer is B, and here is why: B - You don't have to create new VPC (VPS is typo), because there is one already configured with working VPN connection between VPC and on-premises. So, C and D options are excluded. Now, you actually need NAT Gateway, because you need to communicate with with KMS.

1. Source data is on-prem and hence EMR cluster need to connect to on-prem. 2. To connect to on-prem from VPC securely, VPN is needed. 3. Output need to be sent to S3 securely hence S3 endpoint is needed. 4. EC2 instances cannot be on public subnet. Option A, no mention of VPN. Hence not the right choice. Option B, no mention of VPN. Hence not the right choice. Option C, VPN without IGW, VPN and EMR are in private subnets with S3 endpoint. Secured and satisfies the requirements. Option D, NAT gateway is not needed.

1. Source data is on-prem and hence EMR cluster need to connect to on-prem. 2. To connect to on-prem from VPC securely, VPN is needed. 3. Output need to be sent to S3 securely hence S3 endpoint is needed. 4. EC2 instances cannot be on public subnet. Option A, no mention of VPN. Hence not the right choice. Option B, no mention of VPN. Hence not the right choice. Option C, VPN without IGW, VPN and EMR are in private subnets with S3 endpoint. Secured and satisfies the requirements. Option D, NAT gateway is not needed.

simplest and secure, but a VPN is being used so IGW is required. KMS also being used but can't use the public subnet. So it has to be B

I think this question was designed to confuse by using VPS and VPC interchangeably. VPS has no significance, the point is EMR and security, so have to go with A

VPS cannot operate on the public subnet, so a new one is needed. NAT is not required.

the question says "the securest", so: - Internet Gateway is not necessary, neither Nat gateway. - EMR communication to S3 is going to be through the Endpoint.

B. PANDU Highly Voted 1 year, 11 months ago B, I think it aslo needs kms as well upvoted 8 times

A B. NAT gateway is for outbound to internet traffic from private subnet in VPC. The communication between EMR and S3 will go through endpoint instead of internet, so NAT gateway is not necessary. C. No need to create a new VPC, and VPN won't be built without IGW D. same reason as C