Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 164 discussion

Ans: D Although B works, it is extremely tedious to create bucket policies if the company has 100's of buckets. Endpoint policy is the first line of defense. it is possible to add several buckets as resources to one End point policy and attach it to the Endpoint. "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"]

I did some further digging and it seems both B and D will work. However with D we can achieve this with a single policy. So I change my answer to D.

What of the below Control access using bucket policies You can use bucket policies to control access to buckets from specific endpoints, VPCs, IP address ranges, and AWS accounts. Example: Restrict access to a specific endpoint You can create a bucket policy that restricts access to a specific endpoint by using the aws:sourceVpce condition key. The following policy denies access to the specified bucket unless the specified gateway endpoint is used. This example assumes that there is also a policy statement that allows the access required for your use cases. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

B is for policy on S3 bucket and not endpoint. A, and C cannot come due to VPC outlying. Hence, D

Answer D. The difference between B and D is who should be restricted. B is to restrict endpoints while D is to restrict buckets. The question is to restrict buckets, not endpoints.

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#vpc-endpoints-policies-s3: "You can use bucket policies to control access to buckets from specific endpoints, or specific VPCs." Answer is D

D for sure. However, they should have mentioned VPC endpoints for S3. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html

D for sure. Each spoke VPC only needs to connect to the Transit Gateway to gain access to other connected VPCs. Transit Gateway across different regions can peer with each other to enable VPC communications across regions. Whenever you think of centralizing multiple vpcs and vpns think transit gateway

D All types of policies — IAM user policies, endpoint policies, S3 bucket policies, and Amazon S3 ACL policies (if any) — must grant the necessary permissions for access to Amazon S3 to succeed.

Answer: D

D will do

Did the lab. I confirm that you can set policies to the Gateway endpoint for S3 to allow or deny access to buckets. Ans. D

Those who are vouching for B should note that "the company wants to block access to UNTRUSTED BUCKETS".

DDDDDDDDDDDDDDDDDDDDD

D for sure

D. VPC endpoints for S3 are secured through VPC endpoint access polices. This allows you to set which S3 buckets the endpoints should and should not have access to. By default, any user or service within the VPC, has access to any S3 resource. Use together with S3 bucket policies to further refine access control over your buckets and objects. https://tutorialsdojo.com/amazon-s3-bucket-policies-for-vpc-endpoints/

The answer is D. The requirement is to allow traffic in VPC endpoint only. The bucket policy (as proposed in answer B) controls the access in the S3 bucket only. The solution B alone would allow traffic coming from untrusted S3 buckets to the VPC endpoint, which is a scenario to be avoided