ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 353 discussion

Exam question from Amazon's ANS-C00
Question #: 353
Topic #: 1
[All ANS-C00 Questions]

A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?

  • A. Configure an AWS Direct Connect private virtual interface to the company's AWS VPC in us-west-2. Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
  • B. Configure a VPN connection to the company's AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3.
  • C. Configure a Direct Connect connection public virtual interface to us-west-2. Leverage an on-premises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection.
  • D. Configure a VPN connection to the company's AWS VPC in us-west-2. Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by walkwolf3 at Sept. 1, 2021, 4:49 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mabalon
Highly Voted 3 years, 6 months ago
Selected Answer: A
the explanation of the suer ptpho: S3 now can be provided by Private Link. The requirement is "without Public IPs" -> only private IPs allowed to use --> on-prems - DCX - Priv VIF - VGW - S3 IEP - S3 After routed from VGW, we need dns support to resolve S3, so a CNAME or a proxy can be used to send S3 traffic to S3 IEP.
upvoted 7 times
...
mirkensator
Most Recent 2 years, 5 months ago
A Interface VPC Endpoint provides Private IP
upvoted 1 times
...
Dan787
3 years, 7 months ago
If we go with option A assuming there is interface VPC endpoint for S3, there is no need for HTTPS proxy which is mentioned in the question. Both A and C will work but C sounds more reasonable.
upvoted 2 times
...
walkwolf3
3 years, 7 months ago
C If you want to access S3 over a Direct Connect to keep that traffic off of public Internet, you have to attach a public VIF to it. https://www.freeitdata.com/keeping-aws-s3-traffic-private/ https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
upvoted 3 times
ptpho
3 years, 7 months ago
S3 now can be provided by Private Link. The requirement is "without Public IPs" -> only private IPs allowed to use --> on-prems - DCX - Priv VIF - VGW - S3 IEP - S3 After routed from VGW, we need dns support to resolve S3, so a CNAME or a proxy can be used to send S3 traffic to S3 IEP. So I go with A https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-direct-connect/
upvoted 6 times
walkwolf3
3 years, 7 months ago
Agreed and changed my answer to C. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html
upvoted 1 times
walkwolf3
3 years, 7 months ago
Typo, changed my answer to A.
upvoted 7 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel