Logo
AWS Certified Solutions Architect - Professional / Question #772 of 529

Question #772

A company has a centralized data repository in an Amazon S3 bucket accessed by multiple departments, each with their own VPC. The security policy mandates that all S3 access must occur through private network connections, and each department must have only the necessary permissions. A solutions architect proposes using S3 access points restricted to each department's VPC. Which two steps should be taken? (Choose two.)

A

Create an S3 access point for each department in the central account hosting the bucket. Restrict each access point to the respective VPC. Update the bucket policy to enforce access via access points.
B

Create an interface VPC endpoint for S3 in each department's VPC. Attach an endpoint policy allowing access to the S3 access point. Associate the endpoint with the VPC's security groups.
C

Establish a gateway endpoint for S3 in each department's VPC. Configure the endpoint policy to permit access to the S3 access point. Update the route tables to direct traffic through the gateway endpoint.
D

Deploy an S3 access point in each department's AWS account and link it to the central S3 bucket. Restrict each access point to the department's VPC. Modify the bucket policy to require access through these access points.
E

Create a gateway endpoint in the central account's VPC. Attach an endpoint policy allowing access to the S3 bucket. Update the route tables to route traffic via the gateway.

Explanation

Answer A is correct because S3 access points are created in the bucket's account and can be restricted to specific VPCs, ensuring departments access only via their VPC. Updating the bucket policy enforces access through these points. Answer C is correct because S3 uses gateway endpoints (not interface endpoints) to keep traffic within the AWS network. Each department's VPC needs its own gateway endpoint with policies allowing access to the access point, and route tables must direct S3 traffic through it.

Incorrect options: B (wrong endpoint type for S3), D (access points cannot be in department accounts), E (central VPC gateway is irrelevant). Key points: S3 access points are bucket-account resources, gateway endpoints for S3, and VPC-specific restrictions via access points and route tables.

Answer

The correct answer is: {A,C}