ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 471 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 471
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company currently runs a secure application on Amazon EC2 that takes files from on-premises locations through AWS Direct Connect, processes them, and uploads them to a single Amazon S3 bucket. The application uses HTTPS for encryption in transit to Amazon S3, and S3 server-side encryption to encrypt at rest.
Which of the following changes should the Solutions Architect recommend to make this solution more secure without impeding application's performance?

  • A. Add a NAT gateway. Update the security groups on the EC2 instance to allow access to and from the S3 IP range only. Configure an S3 bucket policy that allows communication from the NAT gateway's Elastic IP address only.
  • B. Add a VPC endpoint. Configure endpoint policies on the VPC endpoint to allow access to the required Amazon S3 buckets only. Implement an S3 bucket policy that allows communication from the VPC's source IP range only.
  • C. Add a NAT gateway. Update the security groups on the EC2 instance to allow access to and from the S3 IP range only. Configure an S3 bucket policy that allows communication from the source public IP address of the on-premises network only.
  • D. Add a VPC endpoint. Configure endpoint policies on the VPC endpoint to allow access to the required S3 buckets only. Implement an S3 bucket policy that allows communication from the VPC endpoint only.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by m0h3n at Jan. 13, 2022, 5:42 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SkyZeroZx
1 year, 10 months ago
Selected Answer: D
D - Via process of elimination. And allows for more security than other options.
upvoted 1 times
...
mimadour21698
1 year, 12 months ago
Selected Answer: D
D for sure
upvoted 1 times
...
janvandermerwer
2 years, 6 months ago
Selected Answer: D
D - Via process of elimination. And allows for more security than other options. A , C- whitelist S3 ip range -- seems a bit overkill B - Allows access from all IPs in the VPC - Potentially overly permissive.
upvoted 1 times
...
resnef
2 years, 6 months ago
Agreed with D too, We cannot use aws:SourceIp for VPCE
upvoted 1 times
...
TechX
2 years, 10 months ago
Selected Answer: D
It's D, no doubt
upvoted 2 times
...
m0h3n
3 years, 3 months ago
Ans D.
upvoted 4 times
wahlbergusa
3 years, 3 months ago
Agreed.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago