Answer-first summary for fast verification
Answer: In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.
To meet the company's requirements for centralizing and managing interface VPC endpoints for private communication with AWS services, especially AWS KMS, without sending traffic over the public internet, the network engineer should follow a centralized approach. This involves creating an interface endpoint for AWS KMS in the shared services account, disabling the private DNS name to prevent automatic DNS resolution, and then creating a private hosted zone in the shared services account. This private hosted zone should contain an alias record pointing to the interface endpoint. Finally, this private hosted zone needs to be associated with the spoke VPCs in each AWS account to allow resources in those VPCs to resolve the AWS KMS endpoint privately. This approach ensures that all AWS resources can access AWS KMS through a centralized, private connection without the need for public internet access, aligning with the company's requirements for security and centralized management.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
What steps should the network engineer take to centralize and manage interface VPC endpoints for private communication with AWS services, ensuring that all Amazon Route 53 zones and interface endpoints are managed within a shared services AWS account, while leveraging AWS Transit Gateway for inter-VPC connectivity in a hub-and-spoke model, and enabling AWS resources to access AWS Key Management Service (AWS KMS) without routing traffic over the public internet?
A
In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.
B
In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate each private hosted zone with the shared services AWS account.
C
In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associate each private hosted zone with the shared services AWS account.
D
In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.