Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 115 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 115
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A team collects and routes behavioral data for an entire company. The company runs a Multi-AZ VPC environment with public subnets, private subnets, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company’s applications read from and write to Amazon Kinesis Data Streams. Most of the workloads run in private subnets.

A solutions architect must review the infrastructure. The solution architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.

What should the solutions architect do to meet these requirements?

  • A. Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed. Ensure that security groups are blocking traffic that is responsible for high costs.
  • B. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
  • C. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams. Configure security groups to block that traffic.
  • D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by masetromain at Jan. 15, 2023, 4:42 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
God_Is_Love
Highly Voted 1 year, 8 months ago
Selected Answer: D
VPC endpoints to mitigate NAT gateway huge data transfer costs especially in Kinesis usecase where large data is passed thru With a VPC endpoint policy, you can define rules to control access to the VPC endpoint. You can specify the source IP address or IP address range that is allowed to access the endpoint, as well as the type of traffic that is allowed, such as HTTP, HTTPS, or custom TCP ports. You can also specify the resources that can be accessed through the VPC endpoint, such as an Amazon S3 bucket or an Amazon DynamoDB table.
upvoted 13 times
...
Maria2023
Highly Voted 1 year, 5 months ago
Selected Answer: D
B is a distractor. You don't need IAM permissions to use a service via an endpoint. You only need to set up proper routing to that endpoint
upvoted 8 times
...
youonebe
Most Recent 6 days, 14 hours ago
Answer is B. Option D is incorrect. While similar to B, focuses on endpoint policy instead of IAM permissions VPC endpoint policies alone are insufficient IAM permissions are crucial for application access
upvoted 1 times
...
Syre
2 months ago
Selected Answer: B
Access Permissions are still required for most AWS services, including Kinesis Data Streams, even when accessed via a VPC endpoint. The endpoint allows traffic to the service, but your application or users still need IAM permissions to interact with the service. Without proper IAM permissions, even if the routing is set up correctly, the service will not authorize actions like reading from or writing to a Kinesis stream.
upvoted 1 times
...
amministrazione
2 months, 3 weeks ago
D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.
upvoted 1 times
...
red_panda
7 months ago
Selected Answer: D
D without any doubt.
upvoted 1 times
...
gofavad926
8 months, 1 week ago
Selected Answer: D
D, VPC endpoint
upvoted 2 times
...
gofavad926
8 months, 1 week ago
Selected Answer: D
D, VPC endpoint
upvoted 1 times
...
career360guru
11 months, 1 week ago
Selected Answer: D
Option D
upvoted 1 times
...
rlf
1 year, 1 month ago
Answer is D. An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which AWS principals can use the endpoint to access an AWS service. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
upvoted 1 times
...
NikkyDicky
1 year, 4 months ago
Selected Answer: D
It's a d
upvoted 1 times
...
SkyZeroZx
1 year, 5 months ago
Selected Answer: D
reduce cost == interface VPC endpoint
upvoted 3 times
SkyZeroZx
1 year, 5 months ago
A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.
upvoted 1 times
...
...
Anonymous9999
1 year, 7 months ago
Selected Answer: D
D is the answer. It's not B because user's/applications doesn't need permissions to use an endpoint: https://docs.aws.amazon.com/vpc/latest/privatelink/security_iam_id-based-policy-examples.html
upvoted 2 times
romiao106
1 year, 6 months ago
No. in your document it says "By default, users and roles don't have permission to create or modify AWS PrivateLink resources". Users and roles don't have permissions so they do need permissions to use an interface endpoint
upvoted 1 times
...
...
mfsec
1 year, 8 months ago
Selected Answer: D
D is the best choice.
upvoted 1 times
...
Sarutobi
1 year, 8 months ago
If this is a cost-saving question is very hard to answer, you pay for both, and depending on the region one can be cheaper than the other. There is a cost for a NAT GW and also for a VPCendpoint per AZ plus the traffic you generate over them. In my experience, because you need a VPCendpoint for each service NAT-GW is cheaper.
upvoted 1 times
fartosh
6 months ago
I agree that both NAT GW and interface VPC endpoints can become expensive. I believe that's why the question mentioned that most applications use KDS. I assume that it's the biggest middleware service and you will not need VPC endpoints for other services. Pricing (based on Ohio): NAT GW: 0.045 $/h + 0.045 $/GB Interface VPC Endpoint: 0.01 $/h + 0.01 $/GB (lowered if more data transferred) In the final setup the company will still pay for NAT GW (hourly fee) but the transfer cost (most of it) will be moved to VPCE, which gives: for 1 GB per month NAT GW: (24*30)h*0.045$/h + 1GB*0.045$/GB = 32.445$ > (24*30)h*0.01$/h + 1GB*0.01$/GB = 7.21$ for 1000GB per month NAT GW: (24*30)h*0.045$/h + 1000GB*0.045$/GB = 77.4$ > (24*30)h*0.01$/h + 1000GB*0.01$/GB = 17.2$
upvoted 1 times
...
...
c73bf38
1 year, 9 months ago
Selected Answer: D
Allowing traffic from the application using the VPC endpoint is key to bypassing NAT Gateway.
upvoted 3 times
...
moota
1 year, 9 months ago
Selected Answer: D
Which is which? A VPC endpoint policy is an IAM resource policy that you attach to a VPC endpoint. It determines which principals can use the VPC endpoint to access the endpoint service. The default VPC endpoint policy allows all actions by all principals on all resources over the VPC endpoint. https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#vpc-endpoints-policies
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel