AWS Certified SysOps Administrator – Associate — Question 343

A company manages its production applications across several AWS accounts. The company hosts the production applications on Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are spread across multiple VPCs. Each VPC uses its own Amazon Route 53 private hosted zone for private DNS.

A VPC from Account A needs to resolve private DNS records from a private hosted zone that is associated with a different VPC in Account B.

What should a SysOps administrator do to meet these requirements?

Answer options

• A. In Account A, create an AWS Systems Manager document that updates the /etc/resolv.conf file across all EC2 instances to point to the AWS provided default DNS resolver for the VPC in Account B.
• B. In Account A, create an AWS CloudFormation template that associates the private hosted zone from Account B with the private hosted zone in Account A.
• C. In Account A, use the AWS CLI to create a VPC association authorization. When the association is created, use the AWS CLI in Account B to associate the VPC from Account A with the private hosted zone in Account B.
• D. In Account B, use the AWS CLI to create a VPC association authorization. When the association is created, use the AWS CLI in Account A to associate the VPC from Account B with the private hosted zone in Account A.

Correct answer: D

Explanation

To associate a private hosted zone in Account B with a VPC in Account A, the owner of the private hosted zone (Account B) must first authorize the association. This is done by creating a VPC association authorization via the AWS CLI or API. Once authorized, the owner of the VPC (Account A) can complete the association process using the AWS CLI or API.