AWS Certified Data Engineer – Associate (DEA-C01) — Question 256

A finance company uses Amazon Redshift as a data warehouse. The company stores the data in a shared Amazon S3 bucket. The company uses Amazon Redshift Spectrum to access the data that is stored in the S3 bucket. The data comes from certified third-party data providers. Each third-party data provider has unique connection details.

To comply with regulations, the company must ensure that none of the data is accessible from outside the company's AWS environment.

Which combination of steps should the company take to meet these requirements? (Choose two.)

Answer options

• A. Replace the existing Redshift cluster with a new Redshift cluster that is in a private subnet. Use an interface VPC endpoint to connect to the Redshift cluster. Use a NAT gateway to give Redshift access to the S3 bucket.
• B. Create an AWS CloudHSM hardware security module (HSM) for each data provider. Encrypt each data provider's data by using the corresponding HSM for each data provider.
• C. Turn on enhanced VPC routing for the Amazon Redshift cluster. Set up an AWS Direct Connect connection and configure a connection between each data provider and the finance company’s VPC.
• D. Define table constraints for the primary keys and the foreign keys.
• E. Use federated queries to access the data from each data provider. Do not upload the data to the S3 bucket. Perform the federated queries through a gateway VPC endpoint.

Correct answer: A, C

Explanation

Option A is correct because moving the Redshift cluster to a private subnet and using a NAT gateway ensures that the data remains within the company's AWS environment while still allowing access to S3. Option C is also correct since enhanced VPC routing and AWS Direct Connect would facilitate secure connections to the data providers. The other options do not address the requirement of keeping the data inaccessible from outside the AWS environment.