Exam ANS-C00 topic 1 question 46 discussion

I think B. There's an existing S3 policy and you need to add the VPC-E ID, not the VPC itself. You can't use private IPV4 in the buckets because they're not unique. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html

I think A is wrong because aws:sourceIp expects a public IP address. B is the correct answer since the traffic is routed via a vpc-e

Correct Answer B

B https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range (the private IPv4 address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Therefore, you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range. Instead, you can do the following: Use your route tables to control which instances can access resources in Amazon S3 via the endpoint. For bucket policies, you can restrict access to a specific endpoint or to a specific VPC. For more information, see Amazon S3 bucket policies.

I go with A The following example bucket policy blocks traffic to the bucket unless the request is from specified private IP addresses ( aws:VpcSourceIp): { "Id": "VpcSourceIp", "Version": "2012-10-17", "Statement": [ { "Sid": "VpcSourceIp", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "NotIpAddress": { "aws:VpcSourceIp": [ "10.1.1.1/32", "172.1.1.1/32" ] } }, "Principal": "*" } ] }

B is right

When creating a VPC endpoint (VPC-E), The target VPC and the private subnet are selected. Then, just allow traffic from that VPC-E in the S3 bucket policy.

I will go with 'A' because if you add the VPC-E to the S3 we are also adding the public range.

B is Correct. ---------------- Example: { "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::example_bucket", "arn:aws:s3:::example_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ] } ------------------------ https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

B A. aws:SourceIp in the S3 bucket policy could be public or private IPs, but AWS is not recommending this approach. You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range (the private IPv4 address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. C. This may allow EC2 instances in the public subnet to access S3, which doesn't meet requirment. D. The default VPC-E plicy is applied and allow everything, so this doesn't help https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

Ok, so after review, answer is B : Add the VPC-E identified to the S3 bucket policy. When you create a VPC endpoint, you need to specify the VPC as well as the subnet S3 policy can be used with VPC and VPC endpoint However, applying a policy based on the VPC would allow instances from the public subnet to reach the bucket, which should be forbidden As the VPC endpoint is mapped to a specific subnet, it can be mapped to the private subnet only

This is just another example of very bad questions coming out of this exam. As matter of fact none of the options would satisfy the implied requirement of restricting access to the S3 bucket to private subnet only. I guess it's just there to confuse people. All choices are bad choices. In practice what I do is B. But B alone does not prevent public subnet from accessing S3 bucket through the endpoint because vpc-e as the name suggest is a VPC level construct. Because the default endpoint policy allows everything, the public subnet can simply add a route to the vpc-e and they will have access. You will need to modify either the security groups or the endpoint policies to restrict access. None of these are present in the questions or the answers. Fundamentally B and C are the same. Even if you choose C you can still block the access to the VPC-E in your ENI security group or only allow access from certain resources through the endpoint policy. Which you also have to do in B. They are the same folks.

Add VPC-E identified to bucket policy

Answer is B - CORRECT - VPC-E ID will need to be added to policy D. is updating the endpoint policy. but the default for that has already been applied which allows full access C. If you attach VPC identifier both Private and Public will be allowed and the requirement only allows Private access A. No CIDR allowed for this. the S3 Bucket policy for Endpoints only allows VPC-E ID or the VPC.

Many comments when the solution is so text book. A. Nope. Cannot add CIDR range. C. Nope. D. Question states default VPCE policy applied. C. Yes. Default VPCE policy allows all access, bucket policy is then the next ACL to be evaluated. Answer is C. There is no other option that works within the questions requirements/statements.

You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range (the private IPv4 address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results.For bucket policies, you can restrict access to a specific endpoint