New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SAP-C02 Exam - Topic 1 Question 43 Discussion

Actual exam question for Amazon's SAP-C02 exam
Question #: 43
Topic #: 1
[All SAP-C02 Questions]

A company has implemented a new security requirement According to the new requirement, the company must scan all traffic from corporate AWS instances in the company's VPC for violations of the company's security policies. As a result of these scans the company can block access to and from specific IP addresses.

To meet the new requirement, the company deploys a set of Amazon EC2 instances in private subnets to serve as transparent proxies The company installs approved proxy server software on these EC2 instances The company modifies the route tables on all subnets to use the corresponding EC2 instances with proxy software as the default route The company also creates security groups that are compliant with the security policies and assigns these security groups to the EC2 instances

Despite these configurations, the traffic of the EC2 instances in their private subnets is not being properly forwarded to the internet.

What should a solutions architect do to resolve this issue?

Show Suggested Answer Hide Answer
Suggested Answer: A

Identify Proxy EC2 Instances:

Determine which EC2 instances in the private subnets are running the proxy server software.

Disable Source/Destination Checks:

For each of these EC2 instances, go to the AWS Management Console.

Navigate to the EC2 dashboard, select the instance, and choose 'Actions' > 'Networking' > 'Change Source/Dest. Check'.

Disable the source/destination check for these instances.

Disabling source/destination checks allows the EC2 instances to route traffic appropriately, enabling them to function as network appliances or proxies. This ensures that traffic from other instances in the private subnets can be routed through the proxy instances to the internet, meeting the company's security requirements.

Reference

Amazon EC2 User Guide on Source/Destination Checks


by Chaya at Sep 16, 2024, 10:51 PM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Margart
3 months ago
D sounds complicated, but it could work if set up right!
upvoted 0 times
...
Irving
3 months ago
Wait, why would changing DHCP options help? That seems off.
upvoted 0 times
...
Marleen
3 months ago
I’m not so sure about that, B might be the better option here.
upvoted 0 times
...
Patti
4 months ago
Definitely A! That’s the go-to fix for proxy setups.
upvoted 0 times
...
Minna
4 months ago
Sounds like a classic case of source/destination check issues.
upvoted 0 times
...
Val
4 months ago
I don't recall much about DHCP options affecting traffic flow. I think that might not be the right approach for this problem.
upvoted 0 times
...
Ena
4 months ago
This question reminds me of a practice scenario where we had to set up proxies. I feel like option D could be a solution, but it seems a bit complex.
upvoted 0 times
...
Darell
4 months ago
I'm not entirely sure, but I think adding rules to the security group might not be enough if the routing is still misconfigured.
upvoted 0 times
...
Azalee
5 months ago
I remember we discussed source/destination checks in class. Disabling them seems like it could help with the traffic forwarding issue.
upvoted 0 times
...
Jolanda
5 months ago
This seems straightforward enough. Disabling the source/destination checks on the proxy instances should do the trick. That will allow them to properly forward the traffic as needed. I'll make sure to mark that as my answer choice.
upvoted 0 times
...
Andra
5 months ago
Hmm, I'm a bit confused by the specifics of the proxy setup and how the routing is supposed to work. I'll need to re-read the question a few times and maybe jot down some notes to make sure I understand all the moving parts.
upvoted 0 times
...
Winfred
5 months ago
This seems like a tricky one, but I think I have a good handle on the key concepts. I'll need to carefully review the details of the proxy setup and network configurations to determine the best approach.
upvoted 0 times
...
Junita
5 months ago
Okay, I think I've got this. The key is going to be ensuring the proxy instances can properly route traffic between the private subnets and the internet. I'd start by looking at the security group rules and the network interface configurations on those proxy instances.
upvoted 0 times
...
Mirta
5 months ago
I'm pretty sure using the NMI button is the best option here, but I don't remember what that button actually does.
upvoted 0 times
...
Melinda
1 year ago
Option D looks like the most comprehensive solution. Splitting the network interfaces and routing appropriately seems like the way to go. Just don't forget to check for any 'Socks in the proxy' issues!
upvoted 0 times
Stefan
1 year ago
Just don't forget to check for any 'Socks in the proxy' issues!
upvoted 0 times
...
Carole
1 year ago
Splitting the network interfaces and routing appropriately seems like the way to go.
upvoted 0 times
...
Susana
1 year ago
Option D looks like the most comprehensive solution.
upvoted 0 times
...
...
Pete
1 year ago
Ha! Changing the DHCP options to point to the proxy instances? That's like trying to fit a square peg into a round hole. Not the most elegant solution if you ask me.
upvoted 0 times
...
Felix
1 year ago
Hmm, adding a rule to the security group to allow all traffic seems a bit risky. I'd prefer a more targeted approach like option D.
upvoted 0 times
Sang
1 year ago
Yeah, option D with additional network interfaces seems like a safer bet.
upvoted 0 times
...
Samira
1 year ago
I think option D is the best choice to ensure proper forwarding of traffic.
upvoted 0 times
...
Kasandra
1 year ago
I agree, option D seems like a more secure solution.
upvoted 0 times
...
...
Dong
1 year ago
I'm not sure about that. Disabling source/destination checks could open up some security vulnerabilities. Maybe we should consider option D instead?
upvoted 0 times
Lettie
1 year ago
Agreed. Option D seems like the best course of action to ensure the traffic is properly forwarded.
upvoted 0 times
...
Marge
1 year ago
Let's go with option D then. It seems like the most secure and effective way to resolve the issue.
upvoted 0 times
...
Willetta
1 year ago
Option D sounds like a better solution. Assigning additional network interfaces could help with forwarding the traffic properly.
upvoted 0 times
...
Rueben
1 year ago
I think you're right. Disabling source/destination checks might not be the best option.
upvoted 0 times
...
...
Thaddeus
1 year ago
I think changing the VPC's DHCP options set to point to the addresses of the proxy EC2 instances is the best solution to resolve the issue.
upvoted 0 times
...
Royal
1 year ago
Option A seems like the way to go. Disabling source/destination checks should allow the traffic to flow properly through the proxy instances.
upvoted 0 times
Teresita
1 year ago
D) Assign one additional elastic network interface to each proxy EC2 instance Ensure that one of these network interfaces has a route to the private subnets Ensure that the other network interface has a route to the internet.
upvoted 0 times
...
Bette
1 year ago
Yes, that could be the issue. Disabling source/destination checks might help.
upvoted 0 times
...
Willow
1 year ago
A) Disable source'destination checks on the EC2 instances that run the proxy software
upvoted 0 times
...
...
Clemencia
1 year ago
I disagree, I believe adding a rule to the security group to allow all traffic between instances with the security group assigned is the way to go.
upvoted 0 times
...
Essie
1 year ago
I think the solution architect should disable source'destination checks on the EC2 instances running the proxy software.
upvoted 0 times
...

Save Cancel