Question #1056
A company stores IoT data in an Amazon S3 bucket. Data analysts access this data using Amazon EC2 instances running in a VPC within the same AWS account. The EC2 instances have an IAM role with permissions to access the S3 bucket. The company requires that access to the IoT data is only permitted from the corporate VPC.
Which two steps should be taken to meet these requirements? (Choose two.)
Create a gateway VPC endpoint for Amazon S3 in the VPC.
Create an S3 access point configured to allow access only from the VPC.
Modify the EC2 instance role to include a condition restricting access to the VPC.
Update the S3 bucket policy with a condition that allows access only when the request comes through the S3 access point.
Configure the VPC route tables to direct S3 traffic through a NAT gateway.
Explanation
To restrict S3 access to the corporate VPC:
- B: An S3 access point allows granular access control. Configuring it to allow access only from the VPC ensures requests must originate within the VPC.
- D: Updating the S3 bucket policy to require access via the access point ensures that even with valid IAM permissions, access is only granted through the VPC-restricted access point.
Other options:
- A: A VPC endpoint enables private S3 access but doesn't inherently restrict access to the VPC without additional bucket policy conditions.
- C: IAM roles cannot directly enforce VPC-based restrictions without relying on VPC endpoints or access points.
- E: NAT gateways are unnecessary when using VPC endpoints or access points for S3 access.
Key Points:
1. S3 access points provide VPC-specific access policies.
2. Bucket policies can enforce access via access points for added security.
Answer
The correct answer is: BD