ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SAP on AWS - Specialty PAS-C01 All Questions

View all questions & answers for the AWS Certified SAP on AWS - Specialty PAS-C01 exam
Go to Exam

Exam AWS Certified SAP on AWS - Specialty PAS-C01 topic 1 question 102 discussion

Exam question from Amazon's AWS Certified SAP on AWS - Specialty PAS-C01
Question #: 102
Topic #: 1
[All AWS Certified SAP on AWS - Specialty PAS-C01 Questions]

A company deploys its SAP ERP system on AWS in a highly available configuration across two Availability Zones. The cluster is configured with an overlay IP address and a Network Load Balancer (NLB) to provide access to the SAP application layer to all users. The company's analytics team has created several Operational Data Provisioning (ODP) extractor services for the SAP ERP system.

A highly available ETL system will call the ODP extractor services. The ETL system is hosted on Amazon EC2 instances that are deployed in an analytics VPC in a different AWS account. An SAP solutions architect needs to prevent the ODP extractor services from being used as an attack vector to overload the SAP ERP system.

Which solution will provide the MOST protection for the ODP extractor services?

  • A. Configure VPC peering between the SAP VPC and the analytics VPC. Use network ACL rules in the SAP VPC to allow traffic to the NLB from only authorized sources: the analytics VPC CIDR block and the SAP end users' network CIDR block.
  • B. Create a transit gateway in the SAP account. Share the transit gateway with the analytics account. Attach the SAP VPC and the analytics VPC to the transit gateway. Use network ACL rules in the SAP VPC to allow traffic to the NLB from only authorized sources: the analytics VPC CIDR block and the SAP end users' network CIDR block.
  • C. Configure VPC peering between the SAP VPC and the analytics VPUpdate the NLB security group rules to accept traffic only from authorized sources: the ETL instances CIDR block and the SAP end users' network CIDR block.
  • D. Create a VPC endpoint service configuration on the SAP VPC. Specify the NLB in the endpoint configuration. In the analytics account, create an IAM role that has permission to create a connection to the endpoint service. Attach the role to the ETL instances. While logged in to the ETL instances, programmatically create an interface endpoint to the NLB. Accept the request to activate the interface connection.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by tonatiuhop at July 27, 2023, 11:34 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
G4Exams
1 year, 7 months ago
Selected Answer: B
After first reading I thougth D because and endpoint is way more secure than any peering configuration but if we read the question properly the endpoint is to the NLB and everything behind it. Transit Gateway is a little overengeneering and too expensive but as costs are not a concern here it is most likely the securest way I would say. Correct me if I am wrong guys !
upvoted 1 times
...
zzw890827
1 year, 7 months ago
Selected Answer: D
VPC Endpoint Service + IAM Role: This is the most restrictive and secure approach. The VPC endpoint service allows you to expose a specific service (in this case, the NLB for SAP) to another VPC. By using IAM roles attached to the ETL instances, you can very tightly control which instances can access the SAP system. This would provide the most granular level of access control and thus the most protection against potential misuse of the ODP extractor services.
upvoted 4 times
...
G4Exams
1 year, 7 months ago
Selected Answer: D
The answer was which one is MOST secure so peering opens the whole vpc. An endpoint is more secure so I go for D but this is indeed a tricky one because all 4 would somehow work out.
upvoted 3 times
...
zzw890827
1 year, 8 months ago
Selected Answer: C
I prefer C.
upvoted 1 times
...
tonatiuhop
1 year, 9 months ago
Selected Answer: A
It looks like A
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago