To run an application, a DevOps Engineer launches an Amazon EC2 instances with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the Internet. While the instances launch successfully and show as healthy, the application does not seem to be installed.
Which of the following should successfully install the application while complying with the new rule?
A. Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
B. Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
C. Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
D. Create a security group for the application instances and whitelist only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
C
技巧:排除明显错误选项,在没有明显错误的选项中选择最合理的选项。
在这个问题中,原本在公共子网中启动了带有公网IP地址的Amazon EC2实例来运行应用程序,并通过用户数据脚本在实例启动时获取并安装应用程序工件,然而由于应用程序的安全合规等级发生变化,现在要求实例在没有互联网访问的情况下运行。
出现的故障是,尽管实例能够成功启动并显示为健康状态,但应用程序并未安装。我们需要找到一个既能成功安装应用程序又符合新规则(无互联网访问)的解决方案。
A. 不正确。在公共子网中启动实例并附加Elastic IP地址。安装并运行应用程序后,运行脚本断开Elastic IP地址。这个选项仍然涉及到实例在短期暴露在公共子网中具有互联网访问权限,这违反了新的安全规则。
B. 不正确。设置一个NAT网关,将EC2实例部署到私有子网,更新私有子网的路由表以使用NAT网关作为默认路由。这个选项将实例放在私有子网中,但NAT网关允许实例访问互联网,这同样违反了新的安全规则。
C. 正确。将应用程序工件发布到Amazon S3桶,并为S3创建一个VPC端点。为EC2实例分配一个IAM实例角色,以便它们可以从S3桶中读取应用程序工件。这个选项完全符合新的安全规则。通过将工件放在S3桶中,并创建VPC端点,EC2实例可以在没有互联网访问的情况下从S3桶中获取工件。IAM实例角色确保实例有适当的权限来读取这些工件。
D. 不正确。为应用程序实例创建一个安全组,并仅允许出站流量到工件存储库;安装完成后删除安全组规则。这种方案仍然涉及到临时的出站互联网访问权限,这不符合新的安全规则。