PrepAway - Latest Free Exam Questions & Answers

Which of the following options would you consider?

You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to
be able to access software depots and distributions on the Internet for product updates. The depots and
distributions are accessible via third party CONs by their URLs. You want to explicitly deny any other outbound
connections from your VPC instances to hosts on the internet.
Which of the following options would you consider?

PrepAway - Latest Free Exam Questions & Answers

A.
Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default
routes.

B.
Implement security groups and configure outbound rules to only permit traffic to software depots.

C.
Move all your instances into private VPC subnets remove default routes from all routing tables and add
specific routes to the software depots and distributions only.

D.
Implement network access control lists to all specific destinations, with an Implicit deny as a rule.

10 Comments on “Which of the following options would you consider?

    1. Amit says:

      Since it is asking about DLP , A sounds the best suited answer. All other plausible options B,C,D will not be able to stop DLP if its happenign through legit site




      0



      0
    1. majidy says:

      Default routes are to allow you to get out to addresses unknown by your router
      in the scenario we are only allowing access to certain URLs so no default route required




      0



      0
  1. SuperCoolDev says:

    D is correct as the question ask for restriction at the VPC level. NACL can do that

    A- can be an option but not the best option
    B- Security Groups works at the instance level and not at the VPC level
    C – If you move the instances to private then they will not be able to access the internet without NAT server or NAT gateway.




    1



    3
  2. SuperCoolDev says:

    Please ignore the previous post.

    The answer should be “A” as the instances would be accessing the URLs. NACL would be a good option if we work with IP.




    1



    0
  3. JJ says:

    ans is A.
    the depots and distributions are accessible via a third party CONs by their URLs, A uses a web proxy server just fits.




    1



    1

Leave a Reply

Your email address will not be published. Required fields are marked *