Architecting on AWS 学习笔记系列文章导航页面
32.A retailer exports data daily from its transactional databases into an S3 bucket in the Sydney region.
The retailer’s Data Warehousing team wants to import this data into an existing Amazon Redshift cluster in their VPC at Sydney. Corporate security policy mandates that data can only be transported within a VPC. What combination of the following steps will satisfy the security policy?
Choose 2 answers from the options given below.
*A. Enable Amazon Redshift Enhanced VPC Routing
B. Create a Cluster Security Group to allow the Amazon Redshift cluster to access Amazon S3.
C. Create a NAT gateway in a public subnet to allow the Amazon Redshift cluster to access Amazon S3.
D. Create and configure an Amazon S3 VPC endpoint
Note:
As you probably know, S3 provides you with secure, durable, and highly scalable object storage. You can use the Virtual Private Cloud to create a logically isolated section of the AWS Cloud, with full control over a virtual network that you define.
When you create a VPC, you use security groups and access control lists (ACLs) to control inbound and outbound traffic. Until now, if you wanted your EC2 instances to be able to access public resources, you had to use an Internet Gateway, and potentially manage some NAT instances.
Today we are simplifying access to S3 resources from within a VPC by introducing the concept of a VPC Endpoint. These endpoints are easy to configure, highly reliable, and provide a secure connection to S3 that does not require a gateway or NAT instances.
EC2 instances running in private subnets of a VPC can now have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can use an S3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets.
https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/#
33.A Solutions Architect is designing a shared service for hosting containers from several customers on Amazon ECS.
These containers will use several AWS services. A container from one customer should not be able access data from another customer.
Which of the below solutions should the architect use to meet these requirements?
A. IAM roles for tasks
B. IAM roles for EC2 Instances (instance level)
C. IAM Instance profile for EC2 Instances (instance level)
D. Security Group rules (instance level)
34.A Solutions Architect is designing a web page for event registrations.
He needs a managed service to send a text message to users every time someone signs up for an event. Which AWS Service should the Architect use to achieve this?
A. Amazon STS
B. Amazon SQS
C. AWS Lambda
D. Amazon SNS
Note:
You can use Amazon SNS to send text messages or SMS messages, to SMS-enabled devices. A message can be sent directly to a phone number, or to multiple phone numbers at once by subscribing those phone numbers to a topic and sending your message to the topic. For more information on configuring SNS and SMS messages, please visit theo fllowing URL: (https://docs.aws.amazon.com/sns/latest/dg/SMSMessages.html)