AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 45
A CloudOps engineer is troubleshooting an implementation of Amazon CloudWatch Synthetics. The CloudWatch Synthetics results must be sent to an Amazon S3 bucket.
The CloudOps engineer has copied the configuration of an existing canary that runs on a VPC that has an internet gateway attached. However, the CloudOps engineer cannot get the canary to successfully start on a private VPC that has no internet access.
What should the CloudOps engineer do to successfully run the canary on the private VPC?
Answer options
- A. Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Add the synthetics:GetCanaryRuns permission to the VPC. On the S3 bucket, add the IgnorePublicAcls permission to the CloudWatch Synthetics role.
- B. Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPC. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use the S3 endpoint.
- C. Ensure that the DNS resolution option and the DNS hostnames option are turned off in the VPAdd a security group to the canary to allow outbound traffic on the DNS port. Add the permissions to allow CloudWatch Synthetics to write to the S3 bucket.
- D. Ensure that the DNS resolution option and the DNS hostnames option are turned on in the VPC. Create an interface VPC endpoint for CloudWatch. Create a gateway VPC endpoint for Amazon S3. Add the permissions to allow CloudWatch Synthetics to use both endpoints.
Correct answer: D
Explanation
The correct answer is D because enabling DNS resolution and hostnames allows the canary to resolve endpoints properly, and the creation of both an interface VPC endpoint for CloudWatch and a gateway VPC endpoint for S3 ensures the canary can communicate with both services without internet access. Options A, B, and C are incorrect because they either disable necessary DNS functionalities or do not establish the required endpoints for proper operation in a private VPC.