Topic 1 Question 521
A company is changing the way that it handles patching of Amazon EC2 instances in its application account. The company currently patches instances over the internet by using a NAT gateway in a VPC in the application account.
The company has EC2 instances set up as a patch source repository in a dedicated private VPC in a core account. The company wants to use AWS Systems Manager Patch Manager and the patch source repository in the core account to patch the EC2 instances in the application account. The company must prevent all EC2 instances in the application account from accessing the internet.
The EC2 instances in the application account need to access Amazon S3, where the application data is stored. These EC2 instances need connectivity to Systems Manager and to the patch source repository in the private VPC in the core account.
Which solution will meet these requirements?
Create a network ACL that blocks outbound traffic on port 80. Associate the network ACL with all subnets in the application account. In the application account and the core account, deploy one EC2 instance that runs a custom VPN server. Create a VPN tunnel to access the private VPC. Update the route table in the application account.
Create private VIFs for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route table in the core account.
Create VPC endpoints for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a VPC peering connection to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.
Create a network ACL that blocks inbound traffic on port 80. Associate the network ACL with all subnets in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.
ユーザの投票
コメント(5)
A, D A block of Port.80 is not enough. B private VIFs is inadequate. The correct answer is C.
👍 3kupo7772024/07/02- 正解だと思う選択肢: C
answer : C
👍 3Alagong2024/07/03 - 正解だと思う選択肢: C
Aftee delete NAT gateway theres no need to block outbound port 80. Use vpc interface endpoint to keep traffic private. https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html
👍 2Daniel762024/09/17
シャッフルモード