AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 92

You have set up an S3 endpoint, and you want to restrict some instances from being able to access it. These instances are all in the same subnet, so you cannot simply remove the prefix list from the route table.
What two approaches can you take to solve this? (Choose two.)

Answer options

• A. Remove any access to the PL in the security group attached to the instances.
• B. Add A rule in the NACL to block the prefix list ID outbound.
• C. This is not possible.
• D. Modify the endpoint policy.

Correct answer: A, D

Explanation

Option A is correct because modifying the security group can restrict access to the S3 endpoint. Option D is also valid as changing the endpoint policy can directly control who has access. Options B and C are incorrect; while NACLs can block traffic, they don't offer the granularity needed in this case, and saying it's impossible disregards the viable options available.