SAA-C03 Question #209: Real Exam Question with Answer & Explanation

Question

A company is performing a security review of its Amazon EMR API usage. The company's developers use an integrated development environment (IDE) that is hosted on Amazon EC2 instances. The IDE is configured to authenticate users to AWS by using access keys. Traffic between the company's EC2 instances and EMR cluster uses public IP addresses. A solutions architect needs to improve the company's overall security posture. The solutions architect needs to reduce the company's use of long-term credentials and to limit the amount of communication that uses public IP addresses. Which combination of steps will MOST improve the security of the company's architecture? (Select TWO.)

Options

• ASet up a gateway endpoint to the EMR cluster.
• BSet up interface VPC endpoints to connect to the EMR cluster.
• CSet up a private NAT gateway to connect to the EMR cluster.
• DSet up IAM roles for the developers to use to connect to the Amazon EMR API.
• ESet up AWS Systems Manager Parameter Store to store access keys for each developer.

Explanation

Improve security for EMR API access from EC2 instances by reducing long-term credentials and eliminating public IP communication.

Common mistakes.

• A. Amazon EMR does not currently support gateway VPC endpoints; gateway endpoints are primarily for S3 and DynamoDB.
• C. A private NAT gateway provides outbound internet access from private subnets but does not enable private access to AWS service endpoints like EMR without traversing the internet.
• E. Storing access keys in Parameter Store, while secure, does not eliminate the use of long-term credentials itself; the goal is to reduce their overall reliance.

Concept tested. EMR API security, PrivateLink, IAM roles

Reference. https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html

No community discussion yet for this question.