Answer-first summary for fast verification
Answer: Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service with a public endpoint that allows only trusted IP addresses. Attach the S3 bucket to the SFTP service endpoint. Grant users access to the SFTP service.
## Explanation **Correct Answer: C** **Why Option C is correct:** 1. **Serverless option**: AWS Transfer Family is a fully managed service that eliminates the need to manage EC2 instances, making it serverless. 2. **High IOPS performance**: Amazon S3 provides high throughput and can handle high IOPS requirements for SFTP transfers. 3. **Highly configurable security**: AWS Transfer Family offers multiple security features: - Public endpoint with IP address restrictions (trusted IP sources) - Integration with AWS Identity and Access Management (IAM) for user permissions - S3 bucket policies and encryption - AWS Transfer Family supports SSH public key authentication 4. **Maintain control over user permissions**: AWS Transfer Family allows granular control over user permissions through IAM roles and policies, and can map Linux users to IAM roles. 5. **S3 integration**: AWS Transfer Family natively integrates with Amazon S3 as backend storage, providing scalability and durability. **Why other options are incorrect:** - **Option A**: EBS volumes are not serverless and don't provide shared storage across multiple instances without additional configuration. EBS is block storage attached to individual EC2 instances. - **Option B**: While EFS provides shared file storage, the solution still uses elastic IP addresses and VPC endpoints, which doesn't fully meet the "serverless" requirement. AWS Transfer Family with EFS is possible but S3 is more commonly used and better suited for SFTP workloads. - **Option D**: This option places the SFTP service in a private subnet with internal access only, which would prevent internet-based SFTP clients from connecting unless they're within the VPC or use VPN/Direct Connect. The requirement states the service needs to accept traffic from trusted IP sources on the internet. **Key AWS Services:** - **AWS Transfer Family**: Fully managed SFTP service - **Amazon S3**: Scalable object storage with high throughput - **IAM**: For user permission management - **Security Groups/Network ACLs**: For IP-based access control
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company runs a highly available SFTP service. The SFTP service uses two Amazon EC2 Linux instances that run with elastic IP addresses to accept traffic from trusted IP sources on the internet. The SFTP service is backed by shared storage that is attached to the instances. User accounts are created and managed as Linux users in the SFTP servers.
The company wants a serverless option that provides high IOPS performance and highly configurable security. The company also wants to maintain control over user permissions.
Which solution will meet these requirements?
A
Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume. Create an AWS Transfer Family SFTP service with a public endpoint that allows only trusted IP addresses. Attach the EBS volume to the SFTP service endpoint. Grant users access to the SFTP service.
B
Create an encrypted Amazon Elastic File System (Amazon EFS) volume. Create an AWS Transfer Family SFTP service with elastic IP addresses and a VPC endpoint that has internet-facing access. Attach a security group to the endpoint that allows only trusted IP addresses. Attach the EFS volume to the SFTP service endpoint. Grant users access to the SFTP service.
C
Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service with a public endpoint that allows only trusted IP addresses. Attach the S3 bucket to the SFTP service endpoint. Grant users access to the SFTP service.
D
Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service with a VPC endpoint that has internal access in a private subnet. Attach a security group that allows only trusted IP addresses. Attach the S3 bucket to the SFTP service endpoint. Grant users access to the SFTP service.