ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 358 discussion

Exam question from Amazon's ANS-C00
Question #: 358
Topic #: 1
[All ANS-C00 Questions]

A company's application runs in a VPC and stores sensitive data in Amazon S3. The application's Amazon EC2 instances are located in a private subnet with a
NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances. The company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
Which changes should a network engineer make to the architecture to meet these requirements?

  • A. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.
  • B. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
  • C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.
  • D. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by walkwolf3 at Sept. 1, 2021, 9:07 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Homosapien
Highly Voted 3 years, 6 months ago
The correct answer is B. It will restrict access to connection from the VPC endpoint, that would be reachable to the whole VPC. The question explicitly mentions that the S3 Bucket should allow access from the whole VPC. A. You cannot create a bucket on a VPC C. You will connect through the public internet therefore you'll see the public IPs of the VPC. Not a good solution. D. Roles can be assigned to EC2 instances in other VPCs, allowing unwanted access.
upvoted 10 times
sapien45
3 years, 2 months ago
Reponse is B. Had similar question is AWS Associate Architect
upvoted 2 times
...
...
clooudy
Most Recent 2 years, 11 months ago
Selected Answer: B
Answer B
upvoted 1 times
...
walkwolf3
3 years, 6 months ago
D A. Wrong. S3 is a global service, you can't create S3 in a specified VPC. B. Wrong. Any other applications can access to S3 through endpoint C. Wrong. Too broad range, same as B. D. Correct.
upvoted 1 times
clooudy
2 years, 12 months ago
D is wrong - Ans is B
upvoted 1 times
...
walkwolf3
3 years, 6 months ago
C. Won't work since S3 access is public by default, S3 will see public IP ranges instead of VPC's private CIDR. Considering the S3 bucket can be accessed from VPC, while answer D restrict the access to the application instances, my retake is B.
upvoted 2 times
Luscious
3 years, 5 months ago
D is wrong as this limits access to the S3 buckets to only endpoints with the role assigned. The question asks for access for VPC resources (keyword VPC) to have access to the S3 buckets. No other restriction was stated. The best way to achieve that would be to attach an S3 gateway endpoint to the VPC that facilitates access to the S3 buckets, with restrictions on the buckets' policies to the gateway endpoint. This ensures that VPC resources only will have access to the S3 buckets. B therefore is the right answer here.
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago