Logo
AWS Certified Solutions Architect - Associate / Question #1227 of 1019

Question #1227

A company needs to transfer sensitive data from an Amazon EC2 instance to an Amazon S3 bucket. The solution must ensure that all data transfers occur within the AWS network without exposing traffic to the public internet. Additionally, only the specific EC2 instance should have permissions to upload data to the S3 bucket.

Which solution meets these requirements?

A

Create an interface VPC endpoint for S3 in the VPC where the EC2 instance resides. Configure the S3 bucket policy to allow access only from the IAM role attached to the EC2 instance.
B

Set up a gateway VPC endpoint for S3 in the same region as the EC2 instance. Attach a security group to the endpoint that restricts access to the EC2 instance's private IP. Apply a bucket policy allowing access from the EC2 instance's IAM role.
C

Use AWS PrivateLink to establish a private connection between the EC2 instance and the S3 bucket. Update the VPC route tables to direct S3 traffic through the PrivateLink endpoint. Attach a bucket policy restricting access to the EC2 instance's IAM role.
D

Configure the EC2 instance to use an S3 VPC endpoint gateway and modify the bucket's policy to allow access only from the VPC endpoint. Add a route in the VPC route table to direct S3 traffic through the gateway endpoint.

Explanation

Answer A is correct because:
1. Interface VPC Endpoint: Creates a private connection within the VPC, ensuring data transfer stays within the AWS network (no public internet exposure).
2. IAM Role-Based Bucket Policy: Restricts S3 upload permissions exclusively to the EC2 instance's IAM role, meeting the security requirement.

Why other options are incorrect:
- B: Gateway endpoints don't use security groups; this option incorrectly applies a security group to a gateway endpoint.
- C: PrivateLink (Interface endpoints) don't require route table updates; this step is unnecessary and misleading.
- D: While a gateway endpoint ensures private traffic, the bucket policy in D allows access to the entire VPC, not just the specific EC2 instance.

Key Points:
- Use VPC endpoints (interface/gateway) to keep traffic within AWS.
- Restrict S3 access using IAM roles (identity-based) rather than broad VPC-wide policies.

Answer

The correct answer is: A