Logo
AWS Certified Solutions Architect - Professional / Question #544 of 529

Question #544

A company uses multiple AWS accounts. The DNS records for internal services are stored in a private hosted zone for Amazon Route 53 in Account X. Applications running in a VPC in Account Y cannot resolve the backend.example.com CNAME record pointing to an Amazon ElastiCache endpoint. The solutions architect verified that the record set was correctly created in Route 53.

Which combination of steps should the solutions architect take to resolve the resolution failure? (Choose two.)

A

Migrate the ElastiCache cluster to the VPC in Account Y. Create a new record set for the cluster's endpoint in the existing private hosted zone.
B

Use a bastion host to access the application instances. Update the /etc/hosts file with the ElastiCache endpoint IP address.
C

Create an authorization in Account X to associate the private hosted zone with the VPC in Account Y.
D

Create a new private hosted zone for example.com in Account Y. Configure Route 53 Resolver inbound endpoints for cross-account DNS queries.
E

Associate the VPC in Account Y with the private hosted zone in Account X. Remove the authorization record in Account X after association.

Explanation

The issue arises because a private hosted zone in Account X is not automatically accessible to a VPC in Account Y. To resolve this:

- C: Account X must authorize the VPC in Account Y to associate with its private hosted zone. This grants permission for cross-account DNS resolution.
- E: After associating the VPC in Account Y with the hosted zone, the authorization in Account X is no longer needed and can be removed.

Why other options are incorrect:
- A: Moving the ElastiCache cluster is unnecessary; the DNS configuration is the root issue.
- B: Manually updating /etc/hosts is not scalable or AWS-recommended.
- D: Creating a duplicate hosted zone in Account Y would cause conflicts and is not required.

Key Points:
- Private hosted zones require explicit cross-account authorization for VPC association.
- Authorizations are only needed during association and can be revoked afterward.

Answer

The correct answer is: CE