AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 356

A company's application runs in a VPC and stores sensitive data in Amazon S3. The application's Amazon EC2 instances are located in a private subnet with a
NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances. The company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
Which changes should a network engineer make to the architecture to meet these requirements?

Answer options

• A. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.
• B. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
• C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.
• D. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.

Correct answer: B

Explanation

Deploying a VPC endpoint for S3 establishes a private connection between the VPC and S3, allowing the traffic to bypass the NAT gateway entirely. By applying a bucket policy with an 'aws:sourceVpce' condition, access is strictly limited to requests originating from that specific VPC endpoint. Other options are incorrect because S3 buckets cannot be deployed inside a VPC subnet, and private VPC CIDR ranges cannot be used directly in S3 bucket policies for public endpoint traffic.