ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 463 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 463
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are running in a single AWS account. No internet connectivity is allowed from any EC2 instances in the account.

A security engineer has configured the relevant settings in Patch Manager. The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.

Which combination of steps must the security engineer take to meet these requirements? (Choose three.)

  • A. Create a gateway VPC endpoint for com.amazonaws.[region].s3.
  • B. Create VPC endpoints for com.amazonaws.[region].ec2messages and com.amazonaws.[region].ssm.
  • C. Create a NAT gateway.
  • D. Update the route tables to route Systems Manager traffic through the NAT gateway.
  • E. Update the route tables with a route to the gateway VPC endpoint.
  • F. Update the route tables to route the update traffic through the NAT gateway.
Show Suggested Answer Hide Answer
Suggested Answer: ABE 🗳️
by Teknoklutz at Nov. 28, 2022, 8:58 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
createchange
Highly Voted 2 years, 2 months ago
I see why CDF are eliminated. However, I wasn't understanding why A was required, until I found the following: "S3 buckets Your VPC endpoint policy must allow access to at least the following Amazon S3 buckets: The S3 buckets listed in SSM Agent communications with AWS managed S3 buckets. The S3 buckets used by Patch Manager for patch baseline operations in your AWS Region. These buckets contain the code that is retrieved and run on instances by the patch baseline service. Each AWS Region has its own patch baseline operations buckets from which the code is retrieved when a patch baseline document is run. If the code can't be downloaded, the patch baseline command will fail." https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html
upvoted 15 times
...
Teknoklutz
Highly Voted 2 years, 5 months ago
Selected Answer: ABE
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create
upvoted 10 times
...
PatrickLi
Most Recent 2 years, 2 months ago
Selected Answer: ABE
Answer is ABE
upvoted 1 times
...
secdaddy
2 years, 4 months ago
ABE as NAT = Internet which isn't allowed, so CDF are eliminated automatically
upvoted 6 times
...
AdamWest
2 years, 5 months ago
Selected Answer: ABE
ABE - Correct
upvoted 2 times
...
D2
2 years, 5 months ago
Selected Answer: ABE
Answer ABE
upvoted 2 times
...
Teknoklutz
2 years, 5 months ago
i think, B, C and D
upvoted 3 times
Nocky24
2 years, 3 months ago
Internet access not allowed so NAT gateway is ruled out
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago