ExpertAWS SAP-C02 · Question 68 · Domain 1.2: Security Controls
An architect is designing a secure architecture for a financial application. The application runs on EC2 instances in a private subnet and needs to access Amazon S3 to store sensitive documents. The security team mandates that this traffic must not traverse the public internet and must be restricted to a specific S3 bucket. How should this be implemented?
An architect is designing a secure architecture for a financial application. The application runs on EC2 instances in a private subnet and needs to access Amazon S3 to store sensitive documents. The security team mandates that this traffic must not traverse the public internet and must be restricted to a specific S3 bucket. How should this be implemented?
Answer options:
Use a NAT Gateway and configure the S3 bucket policy to allow the NAT Gateway's IP.
Create a VPC Gateway Endpoint for S3 and attach an endpoint policy that allows access only to the specific bucket.
Create a VPC Interface Endpoint (PrivateLink) for S3 and use security groups to restrict access.
Establish an AWS Direct Connect connection to S3.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2
75 questions · hints · full answers · grading