ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 115 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 115
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A team collects and routes behavioral data for an entire company. The company runs a Multi-AZ VPC environment with public subnets, private subnets, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company’s applications read from and write to Amazon Kinesis Data Streams. Most of the workloads run in private subnets.

A solutions architect must review the infrastructure. The solution architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.

What should the solutions architect do to meet these requirements?

  • A. Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed. Ensure that security groups are blocking traffic that is responsible for high costs.
  • B. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
  • C. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams. Configure security groups to block that traffic.
  • D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by masetromain at Jan. 15, 2023, 4:42 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
God_Is_Love
Highly Voted 2 years, 5 months ago
Selected Answer: D
VPC endpoints to mitigate NAT gateway huge data transfer costs especially in Kinesis usecase where large data is passed thru With a VPC endpoint policy, you can define rules to control access to the VPC endpoint. You can specify the source IP address or IP address range that is allowed to access the endpoint, as well as the type of traffic that is allowed, such as HTTP, HTTPS, or custom TCP ports. You can also specify the resources that can be accessed through the VPC endpoint, such as an Amazon S3 bucket or an Amazon DynamoDB table.
upvoted 14 times
...
Maria2023
Highly Voted 2 years, 1 month ago
Selected Answer: D
B is a distractor. You don't need IAM permissions to use a service via an endpoint. You only need to set up proper routing to that endpoint
upvoted 10 times
...
thanab
Most Recent 2 weeks ago
Selected Answer: B
i think B. I feel it
upvoted 1 times
...
princajen
2 weeks ago
Selected Answer: B
VPC endpoint policies control which principals can use the endpoint, but they don’t grant permission to use the AWS service itself. The default policy allows all access, so in most cases you don’t need to modify it. However, applications still require IAM permissions to perform actions like reading or writing to Kinesis. Therefore, for exam and real-world purposes, IAM access is the critical piece, and Option B is the best answer. Think of it like this: You built a private tunnel (VPC endpoint) from your office to AWS. The tunnel gate (endpoint policy) is open by default. But when your employee arrives at the AWS service door, the IAM guard still checks their ID badge (permissions). If they don’t have the right badge (IAM permission), they’re still denied — even if the tunnel is open.
upvoted 1 times
...
kylix75
6 months, 3 weeks ago
Selected Answer: B
The correct answer is B. Rationale: Interface VPC endpoints for Kinesis eliminate NAT gateway traffic costs Applications in private subnets can access Kinesis through the VPC endpoint IAM permissions are the proper security control Maintains functionality while reducing costs Other options issues: A/C: Flow logs analysis won't reduce NAT costs D: Similar to B but focuses on endpoint policy instead of IAM permissions
upvoted 2 times
...
Heman31in
8 months, 1 week ago
Selected Answer: D
Why Option D is a Better Fit Here Cost Reduction Goal: The scenario is primarily about reducing NAT gateway costs by using a VPC endpoint. A properly configured VPC endpoint policy ensures applications can connect to Kinesis through the private endpoint without hitting NAT gateways. IAM Permissions Likely Already Exist: If the applications are already interacting with Kinesis, their IAM permissions should already be in place. The focus, therefore, shifts to configuring the new VPC endpoint properly. Endpoint Policy Completeness: VPC endpoint policies act as a resource-based policy at the network level, which is critical for ensuring that applications can route their traffic correctly through the VPC endpoint.
upvoted 1 times
...
youonebe
9 months ago
Answer is B. Option D is incorrect. While similar to B, focuses on endpoint policy instead of IAM permissions VPC endpoint policies alone are insufficient IAM permissions are crucial for application access
upvoted 1 times
...
Syre
11 months ago
Selected Answer: B
Access Permissions are still required for most AWS services, including Kinesis Data Streams, even when accessed via a VPC endpoint. The endpoint allows traffic to the service, but your application or users still need IAM permissions to interact with the service. Without proper IAM permissions, even if the routing is set up correctly, the service will not authorize actions like reading from or writing to a Kinesis stream.
upvoted 2 times
...
amministrazione
11 months, 2 weeks ago
D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.
upvoted 1 times
...
red_panda
1 year, 3 months ago
Selected Answer: D
D without any doubt.
upvoted 1 times
...
gofavad926
1 year, 5 months ago
Selected Answer: D
D, VPC endpoint
upvoted 2 times
...
gofavad926
1 year, 5 months ago
Selected Answer: D
D, VPC endpoint
upvoted 1 times
...
career360guru
1 year, 7 months ago
Selected Answer: D
Option D
upvoted 1 times
...
rlf
1 year, 10 months ago
Answer is D. An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which AWS principals can use the endpoint to access an AWS service. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
upvoted 1 times
...
NikkyDicky
2 years, 1 month ago
Selected Answer: D
It's a d
upvoted 1 times
...
SkyZeroZx
2 years, 2 months ago
Selected Answer: D
reduce cost == interface VPC endpoint
upvoted 3 times
SkyZeroZx
2 years, 2 months ago
A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.
upvoted 1 times
...
...
Anonymous9999
2 years, 4 months ago
Selected Answer: D
D is the answer. It's not B because user's/applications doesn't need permissions to use an endpoint: https://docs.aws.amazon.com/vpc/latest/privatelink/security_iam_id-based-policy-examples.html
upvoted 2 times
romiao106
2 years, 3 months ago
No. in your document it says "By default, users and roles don't have permission to create or modify AWS PrivateLink resources". Users and roles don't have permissions so they do need permissions to use an interface endpoint
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel