AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 334

An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.
What is the MOST simple and secure architecture that will achieve the organization's goal?

Answer options

• A. Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
• B. Use the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
• C. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.
• D. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.

Correct answer: A

Explanation

Deploying Amazon EMR in a private subnet within the existing VPC satisfies the security requirement of avoiding public subnets, while still utilizing the existing VPN connection to access on-premises databases. Using an Amazon S3 VPC endpoint allows the EMR cluster to securely transfer data to Amazon S3 privately without traversing the public internet. This approach is the simplest because it avoids the overhead of creating a new VPC or introducing unnecessary NAT gateways.