AWS Solutions Architect Exam: Valid Options for Security and Replication

Correct Answers: A, B, E.

Interface endpoints.

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet.

It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service.

Interface endpoints are powered by AWS PrivateLink.

Gateway Load Balancer endpoints.

A Gateway Load Balancer endpoint is an elastic network interface with a private IP address from the IP address range of your subnet.

Gateway Load Balancer endpoints are powered by AWS PrivateLink.

This type of endpoint serves as an entry point to intercept traffic and route it to a service that you've configured using Gateway Load Balancers, for example, for security inspection.

Gateway endpoints.

A gateway endpoint is for the following supported AWS services:

Amazon S3

DynamoDB.

You specify a gateway endpoint as a route table target for traffic that is destined for the supported AWS services.

Option A is CORRECT as the DynamoDB Global Tables will create a Multi-Region, Multi-Master database that can be accessed internally from each region.

Option B is CORRECT as creating the VPC Endpoints for services like S3 and DynamoDB will allow the application to use them via the AWS network.

Option C is INCORRECT because NAT gateways are used to communicate with the Internet via a private subnet.

This is to secure the private resources like Database and Application servers which do not require and ideally should not have public connectivity.

Option D is INCORRECT because DynamoDB uses the Gateway Endpoint instead of the Interface Endpoint.

Option E is CORRECT because VPC Endpoints are regional points and can not be accessed outside of those regions.

To use the endpoints, we need to copy the S3 objects to all the regions from which they will be used.

S3 Cross-Region Replication can do this effectively without any manual support.

NOTE:Please read the question as follows.

To follow the new security compliance's your company has hired an external auditor to assess the security perimeter around your SaaS platform.

The application, S3, and DynamoDB are running in multiple regions, and the application uses load balancers within each region for high availability.

The instances load sensitive configurations from an S3 bucket at the start, and the DynamoDB is used as a primary database.

The auditor has advised furthering

1

tighten the security groups and NACLs based on the application requirement and

2

use the private network instead of using the public endpoints to access the AWS services.

Your team decided to use the VPC Endpoints as it uses the AWS internal network for all the communication.

After a detailed examination, they realize that the data used for the applications also need to be replicated in different regions.

Please select three valid options, including the modification for endpoints and objects replications across regions.

Reference:

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

Sure, I'd be happy to explain each option in detail.

A. Configure the DynamoDB Global Tables to replicate the data into multi-regions.

DynamoDB Global Tables allow you to replicate your table data automatically across multiple AWS regions, providing a fully managed, multi-master, multi-region database capability. By configuring DynamoDB Global Tables, you can ensure that your data is available in multiple regions, improving availability and fault tolerance.

B. Create VPC Endpoints for S3 and DynamoDB.

VPC endpoints allow you to connect privately to AWS services such as S3 and DynamoDB without going over the internet. By creating VPC endpoints for S3 and DynamoDB, you can ensure that your data does not leave your VPC and can only be accessed by resources within your VPC. This improves security and reduces data transfer costs.

C. Use the NAT Gateway for all the egress communication to these AWS services.

A NAT gateway is a managed service that allows resources in a private subnet to access the internet while blocking incoming traffic from the internet. By using a NAT gateway for egress communication to S3 and DynamoDB, you can ensure that traffic from your private subnets to these services is secure and goes through a single point of exit, reducing complexity.

D. Set up VPC gateway endpoint for S3 and interface endpoint for DynamoDB to communicate with these services over the private AWS network.

A VPC gateway endpoint allows you to connect to S3 from within your VPC over the AWS network, while an interface endpoint allows you to connect to DynamoDB from within your VPC over the AWS network. By setting up these endpoints, you can ensure that your data remains within the AWS network and does not go over the internet. This improves security and reduces data transfer costs.

E. Use the S3 Cross-Region Replication to save the configurations in the multiple regions.

S3 Cross-Region Replication allows you to automatically replicate objects from one S3 bucket to another S3 bucket in a different region. By using S3 Cross-Region Replication, you can ensure that your data is available in multiple regions, improving availability and fault tolerance.

In summary, options A, B, and D are all valid options to improve security and availability while ensuring that data is available in multiple regions. Option C is not necessary if VPC endpoints are used, and Option E only applies to replicating data in S3, not DynamoDB.