ExpertMedium1 markMultiple Choice
AWS SAA-C03 · Question 07 · Domain 1.2: Secure Workloads
A company has an Amazon S3 bucket containing confidential files. The bucket must only be accessible from a specific Amazon VPC. Which TWO steps are required to enforce this? (Select TWO.)
A company has an Amazon S3 bucket containing confidential files. The bucket must only be accessible from a specific Amazon VPC. Which TWO steps are required to enforce this? (Select TWO.)
Answer options:
A.
Create a VPC endpoint for Amazon S3.
B.
Create a NAT Gateway in the VPC.
C.
Add an S3 bucket policy allowing access only from the VPC endpoint.
D.
Configure a Network ACL to block all non-VPC traffic.
E.
Enable S3 Block Public Access.
How to approach this question
Combine network routing with resource-based policies.
Full Answer
Create a VPC endpoint for S3. Add an S3 bucket policy denying access unless the request comes from the VPC endpoint.
A VPC endpoint provides a private route to S3. The bucket policy enforces that only traffic from that endpoint (aws:sourceVpce) is allowed.
Common mistakes
Thinking a NAT Gateway provides private access to S3.
Practice the full AWS SAA-C03 Practice Exam 2
65 questions · hints · full answers · grading
More questions from this exam
Q01A company wants to ensure that no AWS resources can be created in the ap-northeast-1 region acros...EasyQ02A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The com...EasyQ03A company is storing highly sensitive data in an Amazon S3 bucket. The security team requires tha...MediumQ04An application running on an EC2 instance needs to access an Amazon DynamoDB table in a different...HardQ05A company needs to store database credentials securely. The credentials must be automatically rot...Medium