ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 459 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 459
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is migrating its on-premises build artifact server to an AWS solution. The current system consists of an Apache HTTP server that serves artifacts to clients on the local network, restricted by the perimeter firewall. The artifact consumers are largely build automation scripts that download artifacts via anonymous
HTTP, which the company will be unable to modify within its migration timetable.
The company decides to move the solution to Amazon S3 static website hosting. The artifact consumers will be migrated to Amazon EC2 instances located within both public and private subnets in a virtual private cloud (VPC).
Which solution will permit the artifact consumers to download artifacts without modifying the existing automation scripts?

  • A. Create a NAT gateway within a public subnet of the VPC. Add a default route pointing to the NAT gateway into the route table associated with the subnets containing consumers. Configure the bucket policy to allow the s3:ListBucket and s3:GetObject actions using the condition IpAddress and the condition key aws:SourceIp matching the elastic IP address of the NAT gateway.
  • B. Create a VPC endpoint and add it to the route table associated with subnets containing consumers. Configure the bucket policy to allow s3:ListBucket and s3:GetObject actions using the condition StringEquals and the condition key aws:sourceVpce matching the identification of the VPC endpoint.
  • C. Create an IAM role and instance profile for Amazon EC2 and attach it to the instances that consume build artifacts. Configure the bucket policy to allow the s3:ListBucket and s3:GetObjects actions for the principal matching the IAM role created.
  • D. Create a VPC endpoint and add it to the route table associated with subnets containing consumers. Configure the bucket policy to allow s3:ListBucket and s3:GetObject actions using the condition IpAddress and the condition key aws:SourceIp matching the VPC CIDR block.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by awsec2 at Sept. 23, 2019, 8:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 7 months ago
B A: While this will work, this is still going through public and because the traffic is HTTP, it is not encrypted so this cannot be a good solution. B: This uses privatelink and hence is better since you cannot change the script to download via HTTP. C: The EC2 needs network connectivity to S3 bucket. D: How would this work when the actual access should be from the VPC endpoint and not the EC2 instance itself?
upvoted 31 times
JAWS1600
3 years, 6 months ago
Requirement does not ask for secured solution ( https) . It requires HTTP.
upvoted 2 times
...
PacoDerek
3 years, 7 months ago
something more for D: You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range (the private IPv4 address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Therefore, you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
upvoted 9 times
...
...
meenu2225
Highly Voted 3 years, 6 months ago
Correct option is B Remember the original setup is: Apache HTTP server that serves artifacts to clients on the local network, restricted by the perimeter firewall. Which mean the comms cannot be on internet it has to be either in private subnet or via endpoint service. Which means A & C are out of euqation because in both the traffic is via internet. Leaving only B and D. Out of these B makes more sense.
upvoted 14 times
...
alnadan
Most Recent 2 years, 5 months ago
Selected Answer: B
B is the correct ans. https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
upvoted 1 times
...
bandaot
2 years, 6 months ago
Selected Answer: A
Why so many people select B, based on this https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3 AWS PrivateLink doesn't support webside endpoints and user must change to use the endpoint-specific DNS names. Even thought A also has the problem for the EC2 in public subnet and maybe not that secure to go thought the public internet, but it's still the only possible solution.
upvoted 2 times
...
dmscountera
2 years, 6 months ago
Selected Answer: B
Based on all comments
upvoted 1 times
...
jj22222
3 years, 1 month ago
Selected Answer: B
B. Create a VPC endpoint and add it to the route table associated with subnets containing consumers. Configure the bucket policy to allow s3:ListBucket and s3:GetObject actions using the condition StringEquals and the condition key aws:sourceVpce matching the identification of the VPC endpoint.
upvoted 1 times
...
ozan11
3 years, 1 month ago
it's c.
upvoted 1 times
...
frankzeng
3 years, 3 months ago
A. Need to use HTTP. The public subnet can go through NAT gateway
upvoted 2 times
...
lulz111
3 years, 3 months ago
Maybe im misreading it, but this feels like another badly written question to me. The consumers currently make HTTP calls to get the artifacts, and we are asking to not change that. Yet there is no mention of anything other than using S3, which by default doesnt support HTTP. I would expect the real answer to make reference to static website hosting in S3 tbh.
upvoted 3 times
...
AzureDP900
3 years, 4 months ago
B is right!
upvoted 1 times
...
andylogan
3 years, 5 months ago
It's B
upvoted 1 times
...
DerekKey
3 years, 5 months ago
A wrong - "aws:SourceIp matching the elastic IP address of the NAT gateway" will not serve instances in public subnets B OK - aws:sourceVpce C wrong - no access to S3 from private subnets D wrong - with Vpce instead of aws:SourceIp you have to use aws:VpcSourceIp
upvoted 3 times
...
WhyIronMan
3 years, 5 months ago
I'll go with B
upvoted 2 times
...
Waiweng
3 years, 6 months ago
It's B
upvoted 4 times
...
Kian1
3 years, 6 months ago
will go with B
upvoted 2 times
...
Ebi
3 years, 6 months ago
Answer is B, you don't need to update scripts: "If you've already set up access to your Amazon S3 resources from your VPC, you can continue to use Amazon S3 DNS names to access those resources after you've set up an endpoint."
upvoted 5 times
...
rcher
3 years, 6 months ago
B. Why not D If the request comes from a host that uses an Amazon VPC endpoint, then the aws:SourceIp key is not available. You should instead use a VPC-specific key such as aws:VpcSourceIp. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago