ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 411 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 411
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint. The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?

  • A. Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.
  • B. Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.
  • C. Verify that the internet gateway is allowing traffic to Amazon S3.
  • D. Verify that the VPC endpoint policy is allowing access to Amazon S3.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by AdamWest at Nov. 23, 2022, 2:11 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Toptip
2 years, 1 month ago
Selected Answer: D
D for me
upvoted 1 times
...
AzureDP900
2 years, 4 months ago
D is right
upvoted 1 times
...
Leonardocp33
2 years, 6 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
tainh
2 years, 7 months ago
Selected Answer: D
D is correct
upvoted 2 times
...
kerar
2 years, 7 months ago
Selected Answer: D
Review the endpoint policy. Check if the policy blocks access to the S3 bucket or to the AWS Identity and Access Management (IAM) user affected by the connectivity issues. If necessary, edit the policy to enable access for the S3 bucket or IAM user https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
upvoted 3 times
...
AdamWest
2 years, 7 months ago
Selected Answer: D
D- Its possible the instance profile creds are not permitted in the VPC endpoint policy. All endpoints come standard with a permit any any. But they can be changed Default Enpoint policy: "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel