Which combination of actions should the Solutions Architect take to meet the user’s security requirements?
(Choose two.)
Launch the Amazon EMR cluster in a private subnet configured to use an AWS KMS CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and an interface VPC endpoint for AWS KMS.
Launch the Amazon EMR cluster in a private subnet configured to use an AWS KMS CMK for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and a NAT gateway to access AWS KMS.
Launch the Amazon EMR cluster in a private subnet configured to use an AWS CloudHSM appliance for at-rest encryption. Configure a gateway VPC endpoint for Amazon S3 and an interface VPC endpoint for CloudHSM.
Configure the S3 endpoint policies to permit access to the necessary data buckets only.
Configure the S3 bucket policies to permit access using an aws:sourceVpce condition to match the S3 endpoint ID.
Explanations:
Launching the Amazon EMR cluster in a private subnet with AWS KMS CMK encryption meets the isolation and encryption requirements. Configuring a gateway VPC endpoint for S3 ensures private S3 access, and an interface VPC endpoint for AWS KMS allows access to KMS without the need for internet access.
A NAT gateway would allow outbound internet access, which contradicts the isolation requirement. An interface VPC endpoint for AWS KMS is needed to access KMS without internet.
AWS CloudHSM is unnecessary for this requirement, as AWS KMS CMK provides sufficient encryption and key control. CloudHSM also adds unnecessary complexity and costs.
Endpoint policies alone do not fully meet the security requirements for isolation and encryption, as the setup needs to control access to both S3 and KMS within the VPC.
Configuring S3 bucket policies withaws:sourceVpceensures that only traffic originating from the specified S3 endpoint can access the bucket, helping to enforce VPC isolation and security requirements.