ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.2: Secure WorkloadsDomain 1SecurityVPC EndpointS3

AWS SAA-C03 · Question 09 · Domain 1.2: Secure Workloads

A company has a strict compliance requirement that Amazon EC2 instances in a private subnet must only be able to access a specific Amazon S3 bucket. The instances must not have access to the internet. How can a solutions architect meet this requirement MOST securely?

Answer options:

A.

Deploy a NAT gateway in a public subnet. Configure the S3 bucket policy to only allow traffic from the NAT gateway's Elastic IP.

B.

Create a VPC gateway endpoint for S3. Attach an endpoint policy that allows access only to the specific S3 bucket.

C.

Create a VPC interface endpoint for S3. Configure the security group on the endpoint to only allow traffic to the specific S3 bucket.

D.

Set up an AWS Site-to-Site VPN to route traffic to the S3 bucket through the corporate network.

How to approach this question

Identify the need for private S3 access (VPC Endpoint) and the need to restrict access to a specific bucket (Endpoint Policy).

Full Answer

B.Create a VPC gateway endpoint for S3. Attach an endpoint policy that allows access only to the specific S3 bucket.✓ Correct
Create a VPC gateway endpoint for S3. Attach an endpoint policy that allows access only to the specific S3 bucket.
A VPC gateway endpoint provides reliable connectivity to Amazon S3 without requiring an internet gateway or a NAT device. To restrict access to a specific bucket, you attach a VPC endpoint policy to the endpoint that explicitly allows access only to the required bucket ARN.

Common mistakes

Choosing NAT Gateway, which exposes the subnet to the internet.
08All questions10

Practice the full AWS SAA-C03 Practice Exam 1

65 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...MediumQ02A solutions architect is designing an application that will run on Amazon EC2 instances. The appl...EasyQ03A company wants to implement a federated identity solution for its employees to access the AWS Ma...MediumQ04A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The app...HardQ05A company is hosting a web application on Amazon EC2 instances. The application connects to an Am...Medium
View all 65 questions →