ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 822 discussion

Exam question from Amazon's AWS-SysOps
Question #: 822
Topic #: 1
[All AWS-SysOps Questions]

A company needs to restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only. All traffic must be over the AWS private network.
What actions should the SysOps Administrator take to meet these requirements?

  • A. Create a VPC endpoint for the S3 bucket, and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
  • B. Create a VPC endpoint for the S3 bucket, and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
  • C. Create a service-linked role for Amazon EC2 that allows the EC2 instances to interact directly with Amazon S3, and attach an IAM policy to the role that allows the EC2 instances full access to the S3 bucket.
  • D. Create a NAT gateway in the VPC, and modify the VPC route table to route all traffic destined for Amazon S3 through the NAT gateway.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by nicat at May 11, 2020, 3:26 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
nicat
Highly Voted 2 years, 9 months ago
B. Create a VPC endpoint for the S3 bucket, and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
upvoted 18 times
...
albert_kuo
Most Recent 11 months, 2 weeks ago
Selected Answer: B
To restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC and ensure all traffic remains over the AWS private network, you should use a VPC endpoint for S3 and a bucket policy.
upvoted 1 times
...
RicardoD
2 years, 8 months ago
B is the answer
upvoted 1 times
...
jackdryan
2 years, 8 months ago
I'll go with B
upvoted 2 times
...
vob
2 years, 8 months ago
B. Not D because you can't route to S3 through a private link via a NAT gateway specifically and on its own. C is required but in itself it won't restrict the bucket and it won't force going via the private link. https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/#:~:text=To%20connect%20to%20your%20S3,need%20to%20do%20the%20following%3A&text=Create%20and%20attach%20an%20AWS,have%20a%20policy%20denying%20access. B will restrict the bucket to that VPC via the private link (still have to configure the endpoint policy even though this is not mentioned), hence this is the right answer. A is similar but wrong because bucket access is limited by bucket policies, not IAM policies (which go on users, groups or roles).
upvoted 4 times
...
yli
2 years, 8 months ago
B. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-accesss-vpc-endpoint
upvoted 3 times
...
narayanan010
2 years, 8 months ago
my bad, option C is not talking about restricting access on S3 and is ONLY talking about providing access to EC2 instances. B is best suited here.
upvoted 2 times
...
narayanan010
2 years, 9 months ago
Option B doesn't talk about EC2 instances at all, but limits access to the S3 bucket from the VPC endpoint. Can anyone please explain why option C is incorrect?
upvoted 1 times
shimmy
2 years, 8 months ago
The EC2 instances are in the VPC. The VPC has a route to the S3 VPC Endpoint. You just need to allow the bucket policy to allow access from the VPC.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel