Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 245

A company deploys an application on on-premises devices in the company’s on-premises data center. The company uses an AWS Direct Connect connection between the data center and the company's AWS account. During initial setup of the on-premises devices and during application updates, the application needs to retrieve configuration files from an Amazon Elastic File System (Amazon EFS) file system.

All traffic from the on-premises devices to Amazon EFS must remain private and encrypted. The on-premises devices must follow the principle of least privilege for AWS access. The company's DevOps team needs the ability to revoke access from a single device without affecting the access of the other devices.

Which combination of steps will meet these requirements? (Choose two.)

Create an IAM user that has an access key and a secret key for each device. Attach the AmazonElasticFileSystemFullAccess policy to all IAM users. Configure the AWS CLI on the on-premises devices to use the IAM user's access key and secret key.

Generate certificates for each on-premises device in AWS Private Certificate Authority. Create a trust anchor in IAM Roles Anywhere that references an AWS Private CA. Create an IAM role that trust IAM Roles Anywhere. Attach the AmazonElasticFileSystemClientReadWriteAccess to the role. Create an IAM Roles Anywhere profile for the IAM role. Configure the AWS CLI on the on-premises devices to use the aws_signing_helper command to obtain credentials.

Create an IAM user that has an access key and a secret key for all devices. Attach the AmazonElasticFileSystemClientReadWriteAccess policy to the IAM user. Configure the AWS CLI on the on-premises devices to use the IAM user's access key and secret key.

Use the amazon-efs-utils package to mount the EFS file system.

Use the native Linux NFS client to mount the EFS file system.

Correct Answer: B, D

To meet the requirements, create certificates for each on-premises device using AWS Private Certificate Authority and set up IAM Roles Anywhere to ensure secure, least-privilege access. Attach the relevant policies to these roles. Additionally, use the amazon-efs-utils package to mount the EFS file system as it supports encryption in transit. This approach allows for revocation of access for individual devices without impacting others and ensures all traffic remains private and encrypted.

Discussion

KaranNishadOptions: BD

B. Generate certificates for each on-premises device in AWS Private Certificate Authority. Create a trust anchor in IAM Roles Anywhere that references an AWS Private CA. Create an IAM role that trusts IAM Roles Anywhere. Attach the AmazonElasticFileSystemClientReadWriteAccess policy to the role. Create an IAM Roles Anywhere profile for the IAM role. Configure the AWS CLI on the on-premises devices to use the aws_signing_helper command to obtain credentials. D. Use the amazon-efs-utils package to mount the EFS file system.

getadroit

BD: https://aws.amazon.com/blogs/aws/amazon-efs-update-on-premises-access-via-direct-connect-vpc/

tgvOptions: BD

---> B D

trungtdOptions: BD

A. Creating individual IAM users with full access does not follow the principle of least privilege => Wrong C. Using a single IAM user for all devices does not allow the ability to revoke access from a single device without affecting others => Wrong E. Technically feasible, but it does not inherently provide encryption in transit