AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 238

Your customer's internal security teams receive requests to allow Amazon S3 access from inside the corporate network. All external traffic must be explicitly whitelisted through your corporate firewalls.
How can your security team grant this access?

Answer options

• A. Obtain the list of IP prefixes from AWS Forum announcements, and use those prefixes in firewall rules.
• B. Obtain the list of IP prefixes from ip-ranges.json, and use those prefixes in firewall rules.
• C. Obtain the list of IP prefixes by performing a DNS lookup on Amazon S3 endpoints, and use those prefixes in firewall rules.
• D. Connect your data center to a VPC via Direct Connect. Create routes that forward traffic from your data center to an S3 private endpoint.

Correct answer: B

Explanation

The correct answer is B because ip-ranges.json is the official source provided by AWS that contains all current IP address ranges for their services, including Amazon S3. Option A is incorrect as AWS Forum announcements do not provide a reliable and up-to-date source for IP prefixes. Option C is also wrong because DNS lookups do not provide comprehensive IP prefix ranges necessary for firewall rules. Option D, while valid in a different context, does not address the requirement of whitelisting IP prefixes for external traffic.