An architect is designing a secure architecture for a financial application. The application runs on EC2 instances in a private subnet and needs to access Amazon S3 to store sensitive documents. The security team mandates that this traffic must not traverse the public internet and must be restricted to a specific S3 bucket. How should this be implemented?

Answer options:

A.

Use a NAT Gateway and configure the S3 bucket policy to allow the NAT Gateway's IP.

B.

Create a VPC Gateway Endpoint for S3 and attach an endpoint policy that allows access only to the specific bucket.

C.

Create a VPC Interface Endpoint (PrivateLink) for S3 and use security groups to restrict access.

D.

Establish an AWS Direct Connect connection to S3.

How to approach this question

Use VPC Endpoints for private AWS service access.

Full Answer

B.Create a VPC Gateway Endpoint for S3 and attach an endpoint policy that allows access only to the specific bucket.✓ Correct

A VPC Gateway Endpoint for S3 ensures traffic does not leave the Amazon network. An Endpoint Policy (IAM resource policy attached to the endpoint) can restrict access so that instances can only communicate with the specified S3 bucket.

Common mistakes

Using a NAT Gateway, which uses public IP space.

Question 67 All questions Question 69

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →