Topic 1 Question 527

AWS Certified Solutions Architect - Professional

Topic 1 Question 527
A company is collecting data from a large set of IoT devices. The data is stored in an Amazon S3 data lake. Data scientists perform analytics on Amazon EC2 instances that run in two public subnets in a VPC in a separate AWS account.

The data scientists need access to the data lake from the EC2 instances. The EC2 instances already have an assigned role with permissions to access Amazon S3. According to company policies, only authorized networks are allowed to have access to the IoT data.

Which combination of steps should a solutions architect take to meet these requirements?

2 つ選択
- Create a gateway VPC endpoint for Amazon S3 in the data scientists’ VPC.
- Create an S3 access point in the data scientists' AWS account for the data lake.
- Update the EC2 instance role. Add a policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.
- Update the VPC route table to route S3 traffic to an S3 access point.
- Add an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: AE
  A. This step ensures that the traffic between the EC2 instances and the S3 data lake does not traverse the public internet, thereby meeting security requirements and reducing latency. E. This step ensures that the access to the data lake is restricted according to company policies. It leverages an S3 bucket policy to enforce access control based on specific conditions, thereby providing an additional layer of security.
  
  👍 4
  Alagong2024/07/03
- 正解だと思う選択肢: BE
  B & E are correct options. A isn't correct because gateway VPC endpoint doesn't work outside of VPC. In this question, we are talking about 2 different accounts which implies 2 different VPCs as well
  
  👍 4
  backbencher20222024/08/18
- This question is really bad.
  
  It feels like if A is selected, then E needs to be adjusted to enable access between VPC endpoints and the bucket directly
  
  Or if B is selected, then B needs to be reworded to say creating access point in data lake account, then E would be valid without any modification
  
  👍 4
  kgpoj2024/09/14
シャッフルモード

ユーザの投票

コメント(17)