exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 877 discussion

A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third- party SaaS application also runs on AWS inside a VPC.
The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company's VPC. All permissions must conform to the principles of least privilege.
Which solution meets these requirements?

  • A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
  • B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.
  • C. Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.
  • D. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
pixepe
2 years ago
A Reference architecture - https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-saas.html Note from documentation that Interface Endpoint is at client side In addition, it can have security groups as https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html
upvoted 1 times
...
AwsBRFan
2 years, 1 month ago
Selected Answer: A
https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html I was in doubt about security group, but thats possible You can change the security groups that are associated with the network interfaces for your interface endpoint. The security group rules control the traffic that is allowed to the endpoint network interface from the resources in your VPC.
upvoted 1 times
...
Ni_yot
2 years, 2 months ago
A seems good. It meets all the criteria.
upvoted 1 times
...
cale
2 years, 3 months ago
I think its A... reason: https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html
upvoted 3 times
...
rajvee
2 years, 3 months ago
I think it is D: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
upvoted 1 times
rajvee
2 years, 3 months ago
but than again, it is is SaaS provide that creates the Service Endpoint, and Consumer created the Interface endpoint
upvoted 1 times
rajvee
2 years, 3 months ago
Change to 'A' because of above reason.
upvoted 1 times
rajvee
2 years, 3 months ago
but this line is unsettling "create a security group to limit the access to the endpoint. "
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago