AWS Certified SysOps Administrator – Associate (legacy) — Question 711

A security team is concerned that intellectual property might leak to the internet. A SysOps administrator must identify controls to address the potential problem.
The instances in question operate in a VPC and cannot be allowed to send traffic to the internet.
What should the SysOps administrator do to meet these requirements?

Answer options

• A. Add the following route to a route table for the subnets used by the instances: Destination: 0.0.0.0/0 Target: igw-xxxxxxxx
• B. Ensure that the instances do not have Elastic IP addresses. Move the instances to a private subnet.
• C. Enable enhanced networking on the instances. Move the instances to a private subnet.
• D. Remove any routes that allow internet traffic from the route table associated with the instance's subnets.

Correct answer: D

Explanation

To prevent instances in a VPC subnet from sending traffic to the internet, you must remove any routes that direct traffic to an Internet Gateway (such as 0.0.0.0/0) from the associated route table. Simply moving instances or removing Elastic IPs does not guarantee a complete block if outbound routes are still defined. Enabling enhanced networking only improves network performance and does not restrict outbound internet access.