Q32 — AWS SAA-C03 第3章

第 32/65 题 | ← 返回第3章

Q162.公司需要将数据从 Amazon EC2 实例移动到 Amazon S3 存储桶.公司必须确保没有 API 调用和数据通过公共互联网路由进行路由.只有 EC2 实例可以访问将数据上传到 S3 存储桶.哪种解决方案可以满足这些要求?

正确答案: B. 在 EC2 实例所在的可用区中为 Amazon S3 创建网关 VPC 端点.将适当的安全组附加到端点.将资源策略附加到 S3 存储桶以仅允许 EC2 实例的 IAM 角色进行访问.

解析

To meet the requirement of moving data from an Amazon EC2 instance to an Amazon S3 bucket with no API calls or data routed through public internet routes, and only the EC2 instance having access to upload data to the S3 bucket, a solutions architect should create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Appropriate security groups should be attached to the endpoint, and a resource policy should be attached to the S3 bucket, allowing only the EC2 instance's IAM role for access. Therefore, option B is the correct answer.Option A suggests creating an interface VPC endpoint for Amazon S3, which may work but may require additional configuration for securing the endpoint and ensuring that only the EC2 instance has access.Option C suggests using nslookup to obtain the private IP address of the S3 bucket's service API endpoint, which is not recommended. Private IP addresses can change frequently, and this approach may not provide a reliable solution.Option D suggests using the publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint, which is also not recommended due to the potential for frequent changes to IP addresses.By creating a gateway VPC endpoint for Amazon S3, the connection between the EC2 instance and the S3 bucket remains within the AWS network, ensuring that no API calls or data are routed through public internet routes. Appropriate security groups can be attached to the endpoint to limit access to only the EC2 instance. Using a resource policy on the S3 bucket allows for granting access to only the EC2 instance's IAM role, providing a secure and controlled solution for transferring data from the EC2 instance to the S3 bucket. 为了满足将数据从Amazon EC2实例移动到Amazon S3桶的需求,而不需要调用API或通过公共internet路由路由数据,并且只有EC2实例有权将数据上传到S3桶,解决方案架构师应该在EC2实例所在的可用区为Amazon S3创建一个网关VPC端点。应该将适当的安全组附加到端点,并将资源策略附加到S3存储桶,仅允许EC2实例的IAM角色进行访问。因此,选项B是正确答案。 选项A建议为Amazon S3创建接口VPC端点,这可能可行,但可能需要额外的配置来保护端点,并确保只有EC2实例具有访问权限。 选项C建议使用nslookup获取S3桶的服务API端点的私有IP地址,不推荐使用。私有IP地址可能会频繁更改,这种方法可能无法提供可靠的解决方案。 选项D建议使用公开可用的ip范围。获取S3桶的服务API端点的私有IP地址,由于IP地址可能会频繁更改,因此也不建议这样做。 通过为Amazon S3创建网关VPC端点,EC2实例和S3桶之间的连接保持在AWS网络中,确保没有API调用或数据通过公共internet路由路由。可以将适当的安全组附加到端点,以限制仅对EC2实例的访问。在S3桶上使用资源策略允许只授予对EC2实例的IAM角色的访问权限,为将数据从EC2实例传输到S3桶提供了一个安全且可控的解决方案。