SAA-C03 Exam Question: Secure Data Transport for Amazon Redshift in Sydney
Question
A retailer exports data daily from its transactional databases into an S3 bucket in the Sydney region.
The retailer's Data Warehousing team wants to import this data into an existing Amazon Redshift cluster in their VPC in Sydney.
Corporate security policy mandates that data can only be transported within the AWS's private network. Which steps would satisfy the security policy? (SELECT TWO.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A and D.
Amazon Redshift Enhanced VPC Routing provides VPC resources access to Redshift.
Redshift will not be able to access the S3 VPC endpoints without enabling Enhanced VPC routing.
So one option will not support the scenario if another is not selected.
NAT instance (the proposed answer) cannot be reached by Redshift without enabling Enhanced VPC Routing.
https://aws.amazon.com/about-aws/whats-new/2016/09/amazon-redshift-now-supports-enhanced-vpc-routing/Option D:
VPC Endpoints - It enables you to privately connect your VPC to the supported AWS Services and VPC Endpoint services powered by PrivateLink without requiring an IGW, NAT Device, VPN Connection or AWS Direct Connect connections.
Instances in VPC do not require Public IP addresses to communicate with resources in the service and traffic between your VPC and other service does not leave the Amazon network.
S3 VPC Endpoint - it is a feature that will allow you to make even better use of VPC and S3.
I recommend you to look into the following URLs to know the concept further.
https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/ https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.htmlTo satisfy the corporate security policy that mandates that data can only be transported within AWS's private network, we need to use private networking options available within AWS. Two such options are:
Enable Amazon Redshift Enhanced VPC Routing: This feature allows Amazon Redshift to access the S3 bucket over the VPC endpoint without using the public Internet. It creates a VPC endpoint for Amazon S3 in your VPC and routes all Amazon S3 traffic through that endpoint, which ensures that the traffic remains within your VPC and doesn't traverse the public internet.
Create and configure an Amazon S3 VPC endpoint: An S3 VPC endpoint allows communication between Amazon Redshift in a VPC and S3 over an Amazon network instead of the public Internet. By creating a VPC endpoint, traffic between Amazon Redshift and S3 stays within the Amazon network, which is a private connection and therefore satisfies the security policy.
Hence, the correct answers are A and D. Option B is incorrect because it only creates a Cluster Security Group to allow the Amazon Redshift cluster to access Amazon S3, but it does not ensure private network transport. Option C is incorrect because it requires a NAT gateway in a public subnet, which defeats the purpose of having a private network transport.
