Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 767 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 767
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A team collects and routes behavioral data for an entire company. The company runs a Multi-AZ VPC environment with public subnets, private subnets, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company's applications read from and write to Amazon Kinesis Data Streams.
Most of the workloads run in private subnets.
A solutions architect must review the infrastructure. The solution architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.
What should the solutions architect do to meet these requirements?

  • A. Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed. Ensure that security groups are blocking traffic that is responsible for high costs.
  • B. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
  • C. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams. Configure security groups to block that traffic.
  • D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by pkboy78 at Aug. 20, 2021, 6:35 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
pablobairat
Highly Voted 3 years ago
It is D Source: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
upvoted 13 times
...
Jupi
Highly Voted 2 years, 11 months ago
D: If most traffic through your NAT gateway is to AWS services that support interface VPC endpoints, then create an interface VPC endpoint for the services. https://aws.amazon.com/premiumsupport/knowledge-center/vpc-reduce-nat-gateway-transfer-costs/ VPC endpoint policies enable you to control access by either attaching a policy to a VPC endpoint or by using additional fields in a policy that is attached to an IAM user, group, or role to restrict access to only occur via the specified VPC endpoint
upvoted 8 times
tgv
2 years, 11 months ago
First I was the impression that you cannot attach a policy to a VPC interface endpoint (only to VPC gateway endpoints), but did a bit of research and found this --> https://aws.amazon.com/about-aws/whats-new/2019/06/now-add-endpoint-policies-to-interface-endpoints-for-aws-services/ Since "a default policy gets attached for you to allow full access to the service" when you create the endpoint you don't really need to ensure that the VPC endpoint policy allows traffic from the applications. But I guess this is just AWS way to confuse us
upvoted 2 times
...
...
Heer
Most Recent 1 year, 8 months ago
In general, it's best practice to use both IAM permissions and a VPC endpoint policy. The IAM permissions ensure that only the right users and applications have access to the endpoint, while the VPC endpoint policy ensures that only the right traffic is allowed to reach the endpoint. Our question here talks more from Application (EC2 accessing KDS) so I want to pick option B
upvoted 1 times
...
Bill_Wiiliam
2 years, 3 months ago
D is the correct answer
upvoted 2 times
...
kangtamo
2 years, 3 months ago
Selected Answer: D
Agree with D.
upvoted 1 times
...
bfal
2 years, 5 months ago
Correct answer is B. D is wrong because it states VPC endpoint policy for traffic "from" the application. With vac endpoint policy, you can't control traffic from the application, but traffic to the application. This should be viewed from service consumer perspective .
upvoted 1 times
cen007
2 years, 2 months ago
D. IAM is Identity and Access Management.
upvoted 1 times
...
...
andylogan
2 years, 11 months ago
It's D
upvoted 1 times
...
tgv
2 years, 11 months ago
DDD ---
upvoted 2 times
...
blackgamer
2 years, 11 months ago
D is the answer.
upvoted 1 times
...
denccc
2 years, 12 months ago
Would go for D since you don't need a IAM policy to USE vpc endpoints (only to create/update/delete them).
upvoted 4 times
...
pkboy78
3 years ago
I think it is D?
upvoted 1 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel