Amazon CLF-C02 Practice Test - Questions Answers, Page 58

A network ACL (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You can create a network ACL and associate it with a subnet to apply rules that allow or deny traffic to or from the subnet. Network ACLs are stateless, meaning that they evaluate the source and destination IP addresses for both inbound and outbound traffic.You can also use network ACLs to block IP address ranges that are known to be malicious12.

The other options are not AWS services or tools that can be used to set up a firewall to control traffic going into and coming out of an Amazon VPC subnet. Security groups are another layer of security for your VPC that act as a firewall for your EC2 instances. Security groups are stateful, meaning that they automatically allow return traffic for allowed inbound traffic.Security groups can only filter traffic based on protocols, ports, and source or destination IP addresses, not on IP ranges3. AWS WAF is a web application firewall that helps protect your web applications from common web exploits. AWS WAF can filter web requests based on rules that you define, such as IP addresses, HTTP headers, HTTP body, or URI strings.AWS WAF does not apply to non-web traffic or to traffic within a VPC4. AWS Firewall Manager is a service that helps you centrally configure and manage firewall rules across your accounts and resources in AWS Organizations. You can use Firewall Manager to apply AWS WAF rules, AWS Network Firewall policies, and Amazon VPC security groups across your AWS accounts. AWS Firewall Manager does not provide a firewall service itself, but rather helps you manage other firewall services

According to the AWS shared responsibility model, the customer is responsible for the security in the cloud, which includes configuring firewalls and networks. AWS provides security groups and network access control lists (NACLs) as firewall features that customers can use to control the traffic to and from their AWS resources. Customers are also responsible for managing their own virtual private clouds (VPCs), subnets, route tables, internet gateways, and other network components.AWS is responsible for the security of the cloud, which includes the physical security of the facilities, the host operating system and virtualization layer, and the AWS global network infrastructure12.Reference:

Shared Responsibility Model - Amazon Web Services (AWS)

Shared responsibility model - Amazon Web Services: Risk and Compliance

AWS Transit Gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks through a central gateway. AWS Transit Gateway simplifies and scales the connectivity between your on-premises networks and AWS, as you only need to create and manage a single connection from the central gateway to each on-premises network, rather than individual connections to each VPC.You can also use AWS Transit Gateway to connect to other AWS services, such as Amazon S3, Amazon DynamoDB, and AWS PrivateLink12.AWS Transit Gateway supports thousands of VPCs per gateway, and enables you to peer Transit Gateways across AWS Regions3.

The other options are not AWS services or features that can simplify and scale the connectivity between on-premises networks and hundreds of VPCs using AWS Direct Connect.VPC endpoints enable private connectivity between your VPCs and supported AWS services, but do not support on-premises networks4.Amazon Route 53 is a DNS service that helps you route internet traffic to your resources, but does not provide network connectivity5.AWS Secrets Manager is a service that helps you securely store and manage secrets, such as database credentials and API keys, but does not relate to network connectivity

AWS Database Migration Service (AWS DMS) is a cloud service that makes it possible to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or between combinations of cloud and on-premises setups. With AWS DMS, you can discover your source data stores, convert your source schemas, and migrate your data. AWS DMS supports migration between 20-plus database and analytics engines, such as Oracle to Amazon Aurora MySQL-Compatible Edition, MySQL to Amazon Relational Database (RDS) for MySQL, Microsoft SQL Server to Amazon Aurora PostgreSQL-Compatible Edition, MongoDB to Amazon DocumentDB (with MongoDB compatibility), Oracle to Amazon Redshift, and Amazon Simple Storage Service (S3). You can perform one-time migrations or replicate ongoing changes to keep sources and targets in sync. AWS DMS automatically manages the deployment, management, and monitoring of all hardware and software needed for your migration.AWS DMS is a highly resilient, secure cloud service that provides database discovery, schema conversion, data migration, and ongoing replication to and from a wide range of databases and analytics systems12.Reference:

Database Migration - AWS Database Migration Service - AWS

What is AWS Database Migration Service? - AWS Database Migration Service

Reserved Instances and Savings Plans are the most cost-effective purchasing options for a compute workload that is steady, predictable, and uninterruptible. Reserved Instances provide a significant discount compared to On-Demand Instances, and Savings Plans offer flexible and consistent savings on EC2 usage. Both options require a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads, but they are more expensive than Reserved Instances or Savings Plans. Spot Instances are the cheapest option, but they are not suitable for uninterruptible workloads, as they can be reclaimed by AWS at any time. Dedicated Hosts and Dedicated Instances are designed for compliance and licensing requirements, not for cost optimization. They are more expensive than the other options, as they run on single-tenant hardware.Reference:Instance purchasing options,Amazon EC2 Pricing,4 Ways to Purchase Amazon EC2 Instances

Spot Instances are a type of EC2 instance that let you bid on unused compute capacity, which AWS offers at a discount of up to 90% compared to On-Demand prices1.Spot Instances are suitable for fault-tolerant, stateless, or flexible applications that can handle interruptions2.Spot Instances can be interrupted with a two-minute warning when EC2 needs the capacity back3.The other options are not pricing models that will interrupt a running EC2 instance if capacity becomes temporarily unavailable

AWS Cloud Development Kit (AWS CDK) is an open source software development framework that allows you to model and provision your cloud infrastructure using familiar programming languages such as TypeScript, Python, Java, and .NET. AWS CDK enables you to use the expressive power of your favorite language to define your cloud resources, such as compute, storage, network, and application services. AWS CDK also provides a library of high-level constructs that represent AWS services and best practices.AWS CDK uses AWS CloudFormation in the background to deploy your resources in a safe and repeatable manner12.Reference:

AWS Cloud Development Kit (CDK) -- TypeScript and Python are Now Generally Available

AWS Cloud Development Kit (AWS CDK) - Introduction to DevOps on AWS

Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that lets you send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available1.Amazon SQS is designed to provide a simple and reliable way for customers to decouple and connect components (microservices) together using queues2.Queues are an important mechanism for providing fault tolerance and scalability in distributed systems, and help decouple different parts of your application3.The other options are not AWS services that are used specifically for sending messages between applications

AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text.Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, Amazon DocumentDB, and other AWS services1.You can also extend Secrets Manager to rotate other types of secrets, such as credentials for Oracle, SQL Server, or MongoDB databases, by using custom AWS Lambda functions2.Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises3. Therefore, AWS Secrets Manager supports the requirement of rotating database user credentials with the least amount of operational overhead, compared to the other options.Reference:

What Is AWS Secrets Manager? - AWS Secrets Manager

Rotating Your AWS Secrets Manager Secrets - AWS Secrets Manager

AWS Secrets Manager Features - AWS Secrets Manager