A company requires that all API calls to Amazon S3 from their VPC must not traverse the public internet. Furthermore, access to S3 must be restricted to only a specific S3 bucket owned by the company. How should the architect implement this?

Answer options:

A.

Create a VPC Interface Endpoint for S3. Use a security group to restrict access to the bucket.

B.

Create a VPC Gateway Endpoint for S3. Attach an endpoint policy that allows access only to the specific S3 bucket ARN.

C.

Route S3 traffic through a NAT Gateway and use an IAM policy on the EC2 instances to restrict bucket access.

D.

Enable S3 Block Public Access on the bucket and use an Internet Gateway.

How to approach this question

Combine private connectivity (VPC Endpoint) with resource restriction (Endpoint Policy).

Full Answer

B.Create a VPC Gateway Endpoint for S3. Attach an endpoint policy that allows access only to the specific S3 bucket ARN.✓ Correct

VPC Gateway Endpoints provide private connectivity to S3. Endpoint policies allow you to restrict which S3 buckets can be accessed through the endpoint.

Common mistakes

Using NAT Gateway, which violates the requirement to avoid the public internet.

Question 04 All questions Question 06

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q06An enterprise uses AWS Organizations with all features enabled. The CISO mandates that no AWS acc...Hard

View all 75 questions →