AWS Certified Security – Specialty (SCS-C02) — Question 296

A company runs workloads on Amazon EC2 instances in VPCs. The EC2 instances make requests to Amazon S3 buckets through VPC endpoints. The company uses AWS Organizations to manage its AWS accounts.

The company needs the requests from the EC2 instances to originate from the same VPC that the EC2 instance credentials were issued to.

Which solution will meet this requirement?

Answer options

• A. Deploy an SCP that includes the S3:* action with the “aws:SourceVpc”: “${aws:Ec2InstanceSourceVpc}” condition.
• B. Edit the VPC endpoints to include the S3:* action with the “aws:Ec2InstanceSourcePrivateIPv4”: “${aws:VpcSourceIp}” condition.
• C. Limit all actions in the S3 bucket policies by using the aws:SourceVpce condition key with the value of the allowed VPC endpoint.
• D. Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value of the allowed VPC ID.

Correct answer: D

Explanation

Using S3 bucket policies with the aws:SourceVpc condition key allows you to restrict access to the buckets so that requests must originate from a specified VPC ID. This ensures that even if credentials are leaked, they cannot be used to access the S3 buckets from outside the designated VPC. Other options are incorrect because they either reference non-existent IAM condition keys or restrict the endpoint itself rather than the source VPC.