ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 360 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 360
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company deploys an application on AWS. The application recently uploaded confidential data to an Amazon S3 bucket outside the company. The company's security team wants to prevent this scenario from occurring in the future. The company owns 100 different S3 buckets in various AWS accounts and uses AWS Organizations to manage the accounts.

The security team must implement a solution that allows individual teams to create new S3 buckets. The solution must allow applications that are deployed on AWS to access only the S3 buckets that are deployed in the company's organization.

Which solution will meet these requirements?

  • A. Create an S3 access point in each private subnet. Route all S3 requests to this access point. Create an S3 access point policy that restricts access to specific S3 buckets. Update all S3 access point policies when new S3 buckets are created in the organization.
  • B. Create an S3 gateway endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 gateway endpoint policy that restricts access to specific S3 buckets. Update all S3 gateway endpoint policies when new S3 buckets are created in the organization,
  • C. Create an S3 interface endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 interface endpoint policy that restricts access to specific S3 buckets. Update all S3 interface endpoint policies when new S3 buckets are created in the organization.
  • D. Create a Gateway Load Balancer endpoint in each private subnet. Route all S3 requests to this endpoint. Create a Gateway Load Balancer endpoint policy that restricts access to specific S3 buckets. Update all Gateway Load Balancer endpoint policies when new S3 buckets are created in the organization.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by AdamWest at Nov. 20, 2022, 9:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
maddyr
Highly Voted 2 years, 6 months ago
Selected Answer: B
Here there is no mention of within VPC or cross VPC access. For within VPC access, gateway type S3 endpoint will meet the reqs. For cross VPC access/hybrid env., interface endpoint is reqd. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
upvoted 7 times
BK__
2 years, 6 months ago
Exactly @Maddyr, I don't know why everyone is picking "Interface" from the link since there's no mention of within VPC or cross VPC access.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
We should also use interface endpoints to enable on premise applications to access S3 resources.
upvoted 1 times
...
...
Arad
Most Recent 1 year, 1 month ago
Selected Answer: C
C is the right answer. B is wrong as gateway endpoint cannot be created within a subnet.
upvoted 1 times
...
yorkicurke
1 year, 6 months ago
Selected Answer: B
many have given good reason for option B but i will give why i didnt pick A, which i was considering but came accroos few facts that; Why A is wrong -->> S3 access points can only be used for object-level operations like GetObject, PutObject etc. They do not support bucket-level operations like creating or deleting buckets. The question requires restricting access at the bucket-level. S3 access points do not support restricting access based on the AWS account or organization that the requester belongs to. The access point policy can only control access based on properties like IP address range, VPC etc.
upvoted 1 times
...
Amy2009
1 year, 6 months ago
It should be B. Gateway end point. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway.
upvoted 1 times
...
Andrii223
2 years ago
Gateway endpoints for Amazon S3 Use Amazon S3 public IP addresses Use the same Amazon S3 DNS names Do not allow access from on premises Do not allow access from another AWS Region Not billed
upvoted 1 times
...
Toptip
2 years, 1 month ago
Selected Answer: B
Both B and C are 100% correct... BUT, There is no additional charge for using gateway endpoints...
upvoted 1 times
...
6_8ftwin
2 years, 1 month ago
B When using a gateway endpoint, a prefix list can be added to a route table to CONTROL the traffic that is allowed to access the service through the endpoint.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
A gateway endpoint is a gateway that you specify in the routing table to access Amazon S3 from your VPC over the AWS network. Interface endpoints should be used for specific use cases such as: using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway. B
upvoted 2 times
...
Sai123
2 years, 2 months ago
why cant we use as it restricts access to specific s3 buckets, Option B and C are more related to routing to travel through internal network instead of public internet. Answer should be A.
upvoted 2 times
Sai123
2 years, 2 months ago
https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/
upvoted 1 times
...
...
Cyp
2 years, 3 months ago
Selected Answer: B
Both A and B does the job however question says route all requests... You can route requests to gateway endpoint not interface endpoint. Please refer to the difference btw two endpoint types. So ans is B https://acloudguru.com/forums/aws-certified-security-specialty/how-is-an-endpoint-gateway-more-resilient-than-endpoint-interface#:~:text=An%20interface%20endpoint%20is%20powered,traffic%20destined%20for%20the%20service.
upvoted 1 times
...
c73bf38
2 years, 3 months ago
Selected Answer: B
S3 gateway endpoint creation
upvoted 2 times
...
YogiB1
2 years, 4 months ago
Between B & C, interface endpoint won't stop accessing S3 buckets outside your account whereas gateway endpoints are added to route table so you must use them (enforced) to access S3 from VPC. So gateway endpoint serves the purpose here. Answer is B.
upvoted 4 times
...
PatrickLi
2 years, 4 months ago
Selected Answer: B
Upvote for B. Gateway endpoints for S3 and DynamoDB. And no they won't require any NAT gateways.
upvoted 4 times
...
selim507
2 years, 5 months ago
Selected Answer: B
You should always use gateway endpoint for S3 as default if you don't have any specific req. "Gateway endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not enable AWS PrivateLink. There is no additional charge for using gateway endpoints."
upvoted 4 times
...
secdaddy
2 years, 6 months ago
B would require adding NAT devices in each private subnet, of which there is no mention in the solution. C seems to meet the requirements as the private subnets can use the interface gateway directly.
upvoted 2 times
roguecloud
2 years, 4 months ago
Going to need to disagree on that, one of the most important benefits of S3 Gateway (been implementing for multiple orgs since release) is that you can access S3 even with no IGW/NAT/ingress /egress..
upvoted 1 times
...
...
Teknoklutz
2 years, 6 months ago
Selected Answer: C
C is correct
upvoted 2 times
...
Fyssy
2 years, 6 months ago
Selected Answer: B
Gateway is inexpensive as interface endpoint supports VPN and Direct connect https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel