AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 18

You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints (VPC-E) for Amazon S3 and remove the
NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.
What should you do to enable Amazon S3 access from EC2 instances in the private subnet?

Answer options

• A. Add the CIDR address range of the private subnet to the S3 bucket policy.
• B. Add the VPC-E identifier to the S3 bucket policy.
• C. Add the VPC identifier for the production VPC to the S3 bucket policy.
• D. Add the VPC-E identifier for the production VPC to endpoint policy.

Correct answer: B

Explanation

The correct answer is B because adding the VPC-E identifier to the S3 bucket policy explicitly allows access to the S3 bucket from resources using that VPC endpoint. The other options do not grant the necessary permissions for the private subnet's EC2 instances to access the S3 bucket, as they either focus on IP ranges or VPC identifiers that do not directly control access through the VPC endpoint.