SAP-C02 第 434 题
题目
A company has implemented a new security requirement. According to the new requirement, the company must scan all traffic from corporate AWS instances in the company's VPC for violations of the company's security policies. As a result of these scans, the company can block access to and from specific IP addresses. To meet the new requirement, the company deploys a set of Amazon EC2 instances in private subnets to serve as transparent proxies. The company installs approved proxy server software on these EC2 instances. The company modifies the route tables on all subnets to use the corresponding EC2 instances with proxy software as the default route. The company also creates security groups that are compliant with the security policies and assigns these security groups to the EC2 instances. Despite these configurations, the traffic of the EC2 instances in their private subnets is not being properly forwarded to the internet. What should a solutions architect do to resolve this issue?
中文翻译:
一家公司实施了新的安全要求。根据新要求,公司必须扫描来自公司 VPC 中企业 AWS 实例的所有流量是否违反公司安全策略。通过这些扫描,该公司可以阻止对特定 IP 地址的访问。为了满足新的要求,该公司在私有子网中部署了一组 Amazon EC2 实例作为透明代理。该公司在这些 EC2 实例上安装了经批准的代理服务器软件。该公司修改了所有子网上的路由表,以使用带有代理软件的相应 EC2 实例作为默认路由。该公司还创建符合安全策略的安全组,并将这些安全组分配给 EC2 实例。尽管进行了这些配置,其私有子网中的 EC2 实例的流量仍无法正确转发到互联网。解决方案架构师应该做什么来解决这个问题?
选项
A. Disable source/destination checks on the EC2 instances that run the proxy software.
中文翻译:
禁用对运行代理软件的 EC2 实例的源/目标检查。
B. Add a rule to the security group that is assigned to the proxy EC2 instances to allow all traffic between instances that have this security group. Assign this security group to all EC2 instances in the VPC.
中文翻译:
向分配给代理 EC2 实例的安全组添加一条规则,以允许具有此安全组的实例之间的所有流量。将此安全组分配给 VPC 中的所有 EC2 实例。
C. Change the VPCs DHCP options set. Set the DNS server options to point to the addresses of the proxy EC2 instances.
中文翻译:
更改 VPC DHCP 选项集。将 DNS 服务器选项设置为指向代理 EC2 实例的地址。
D. Assign one additional elastic network interface to each proxy EC2 instance. Ensure that one of these network interfaces has a route to the private subnets. Ensure that the other network interface has a route to the internet.
中文翻译:
为每个代理 EC2 实例分配一个额外的弹性网络接口。确保这些网络接口之一具有到私有子网的路由。确保另一个网络接口有通往 Internet 的路由。
答案
A
解析
正确答案:A 解析: 本题应选择 A。 正确选项: A. 禁用对运行代理软件的 EC2 实例的源/目标检查。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:VPC、EC2、Config。 排除思路: B、C、D 通常会在协议或服务适配、单点故障、跨区域/高可用设计、运...