AWS Certified Security – Specialty (SCS-C02) — Question 202

A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint.
The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet's network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?

Answer options

• A. Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.
• B. Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.
• C. Verify that the internet gateway is allowing traffic to Amazon S3.
• D. Verify that the VPC endpoint policy is allowing access to Amazon S3.

Correct answer: D

Explanation

The correct answer is D because the VPC endpoint policy must explicitly allow access to the S3 service for requests to succeed. The other options are less relevant; option A concerns the EC2 instance's security group, which is not the issue since it has been verified, option B is irrelevant as VPC endpoints do not have security groups by default, and option C is not applicable since the VPC endpoint is used, bypassing the internet gateway.