Amazon Web Services Related Exams
ANS-C01 Exam
A company runs a workload in a single VPC on AWS. The company’s architecture contains several interface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). The endpoints are configured to use a shared security group. The security group is not used for any other workloads or resources.
After a security review of the environment, the company determined that the shared security group is more permissive than necessary. The company wants to make the rules associated with the security group more restrictive. The changes to the security group rules must not prevent the resources in the VPC from using AWS services through interface VPC endpoints. The changes must prevent unnecessary access.
The security group currently uses the following rules:
• Inbound - Rule 1
Protocol: TCP
Port: 443
Source: 0.0.0.0/0
• Inbound - Rule 2
Protocol: TCP
Port: 443
Source: VPC CIDR
• Outbound - Rule 1
Protocol: All
Port: All
Destination: 0.0.0.0/0
Which rule or rules should the company remove to meet with these requirements?
A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following:
A transit gateway with all VPCs attached to it
Several hundred application VPCs
A centralized egress internet VPC with a NAT gateway and an internet gateway
A centralized ingress internet VPC that hosts public Application Load Balancers
On-premises connectivity through an AWS Direct Connect gateway attachment
The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules.
The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)
A company needs to manage Amazon EC2 instances through command line interfaces for Linux hosts and Windows hosts. The EC2 instances are deployed in an environment in which there is
no route to the internet. The company must implement role-based access control for management of the instances. The company has a standalone on-premises environment.
Which approach will meet these requirements with the LEAST maintenance overhead?