# AWS-Certified-SAP-on-AWS---Specialty-PAS-C01 — Question 428

**Type:** multiple_choice
**Topics:** topic_1

## Question

A company deploys its SAP ERP system on AWS in a highly available configuration across two Availability Zones. The cluster is configured with an overlay IP address and a Network Load Balancer (NLB) to provide access to the SAP application layer to all users. The company's analytics team has created several Operational Data Provisioning (ODP) extractor services for the SAP ERP system.

A highly available ETL system will call the ODP extractor services. The ETL system is hosted on Amazon EC2 instances that are deployed in an analytics VPC in a different AWS account. An SAP solutions architect needs to prevent the ODP extractor services from being used as an attack vector to overload the SAP ERP system.

Which solution will provide the MOST protection for the ODP extractor services?

## Correct Answer

_See scenario._

## Explanation

Selected Answer: D
VPC Endpoint Service + IAM Role: This is the most restrictive and secure approach. The VPC endpoint service allows you to expose a specific service (in this case, the NLB for SAP) to another VPC. By using IAM roles attached to the ETL instances, you can very tightly control which instances can access the SAP system. This would provide the most granular level of access control and thus the most protection against potential misuse of the ODP extractor services.

**Reference:** examtopics_top_comment

---
Source: https://hiexam.net/q/amazon/AWS-Certified-SAP-on-AWS---Specialty-PAS-C01/428  
Practice (tracked): https://hiexam.net/study/AWS-Certified-SAP-on-AWS---Specialty-PAS-C01/practice