A company stores sensitive user information in an Amazon S3 bucket. The company wants to provide secure access to this bucket from the application tier running on Amazon EC2 instances inside a VPC. Which combination of steps should a solutions architect take to accomplish this? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Configure a VPC gateway endpoint for Amazon S3 within the VPC., Create a bucket policy that limits access to only the application tier running in the VPC..
Why this is the answer
To securely access S3 from EC2 instances within a VPC without traversing the public internet, a VPC gateway endpoint for S3 is the correct choice. This endpoint provides a private connection, enhancing security and reducing data transfer costs. Additionally, a bucket policy is essential to restrict access to the S3 bucket. This policy should be configured to allow access only from the specific VPC endpoint and potentially specific IAM roles associated with the EC2 instances in the application tier. Making the S3 bucket public is insecure and directly contradicts the requirement for sensitive information. Using an IAM user's credentials directly on EC2 instances is less secure than using IAM roles, and managing credentials on instances is not a best practice. A NAT instance is used for outbound internet access from private subnets, not for private access to AWS services like S3.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed