Exam AWS Certified Security - Specialty topic 1 question 277 discussion

The Answer is A. Firehose VPC endpoints only use https, therefore data is encrypted in transit. Direct Connect Gateway establishes a private connection to the VPC.

A https://docs.aws.amazon.com/firehose/latest/dev/vpc.html

On-prem application to connect through Direct Connect to VPC interface endpoint for Kinesis Data Firehose.

Only https destinations are supported. URL restrictions are applied during delivery-stream configuration. (Port 443) https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html

The business requirement can be met by configuring an VPC endpoint. A VPC endpoint enables private connections between a VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. This means that instances in a VPC do not require public IP addresses to communicate with resources of the service and traffic between a VPC and a service does not leave the Amazon network.

architecture On-premises application | | VPN connection or AWS Direct Connect connection | | VPC endpoint for Kinesis Data Firehose | | Kinesis Data Firehose delivery stream So first half is traveling through DC which is dedicated private network, then when it's connecting to VPC Endpoint on-premises application connects to the delivery stream without going over the public internet.

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink....Traffic between an Amazon VPC and a service does not leave the Amazon network. On premises network can not access the VPC endpoint through Direct connect. A could NOT be the Answer https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html

switched to A. Use a private IP address over Direct Connect (with a VPC endpoint)

AWS DirectConnect : PRIVATE network connection (not over the internet) Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables PRIVATE communication between AWS services using an elastic network interface with PRIVATE IPs in your Amazon VPC. https://docs.aws.amazon.com/firehose/latest/dev/vpc.html

Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.

answer is C - A does not offer encryption which is what the question is asking. A would be valid if the question stated not to traverse the public internet!

All answers are not really good. The best would be to use a dc with public vif, then connect to the kinesis endpoint over the dc. But when I remember correctly, all of your public aws traffic is routed via dc (if it is a public vif). so C could be an option.

AWS PrivateLink uses Network Load Balancers to connect interface endpoints to services. A Network Load Balancer functions at the network transport layer (layer 4) and can handle millions of requests per second. In the case of AWS PrivateLink, it is represented inside the consumer Amazon VPC as an endpoint network interface. answer is A

A. interface VPC endpoint to keep traffic between Amazon VPC and Kinesis Data Firehose from leaving the Amazon network. Interface VPCE don't require AWS Direct Connect connection. Interface VPCE are powered by AWS PrivateLink.

From the DirectConnect FAQ: Features that are not currently supported by Direct Connect are; AWS Classic VPN, AWS VPN (such as edge-to-edge routing), VPC peering, VPC endpoints.

The keyword is private link, so a first guess is "A", as it has firehose VPC endpoint, however, then option "D" is also providing similar functionality in terms of Direct Connect with an existing network. The question is poorly worded, and confusing between the two options. Both of these options yet don't give encryption that is also asked in the question. If you go with the NLB option, then its exposed using public IP and the private purpose is defeated.

The companyג€™s security policy requires that data be encrypted in transit, only option C is talking about encryption, others are about connection....i go with C