To run an application, a DevOps Engineer launches an Amazon EC2 instances with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the Internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?
A. Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
B. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
D. Create a security group for the application instances and whitelist only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
C
技巧:排除明顯錯誤選項,在沒有明顯錯誤的選項中選擇最合理的選項。
在這個問題中,原本在公共子網中啟動了帶有公網IP地址的Amazon EC2實例來運行應用程序,并通過用戶數據腳本在實例啟動時獲取并安裝應用程序工件,然而由于應用程序的安全合規等級發生變化,現在要求實例在沒有互聯網訪問的情況下運行。
出現的故障是,盡管實例能夠成功啟動并顯示為健康狀態,但應用程序并未安裝。我們需要找到一個既能成功安裝應用程序又符合新規則(無互聯網訪問)的解決方案。
A. 不正確。在公共子網中啟動實例并附加Elastic IP地址。安裝并運行應用程序后,運行腳本斷開Elastic IP地址。這個選項仍然涉及到實例在短期暴露在公共子網中具有互聯網訪問權限,這違反了新的安全規則。
B. 不正確。設置一個NAT網關,將EC2實例部署到私有子網,更新私有子網的路由表以使用NAT網關作為默認路由。這個選項將實例放在私有子網中,但NAT網關允許實例訪問互聯網,這同樣違反了新的安全規則。
C. 正確。將應用程序工件發布到Amazon S3桶,并為S3創建一個VPC端點。為EC2實例分配一個IAM實例角色,以便它們可以從S3桶中讀取應用程序工件。這個選項完全符合新的安全規則。通過將工件放在S3桶中,并創建VPC端點,EC2實例可以在沒有互聯網訪問的情況下從S3桶中獲取工件。IAM實例角色確保實例有適當的權限來讀取這些工件。
D. 不正確。為應用程序實例創建一個安全組,并僅允許出站流量到工件存儲庫;安裝完成后刪除安全組規則。這種方案仍然涉及到臨時的出站互聯網訪問權限,這不符合新的安全規則。