AWS Certified Security – Specialty — Question 321

A company deploys an application on AWS. The application recently uploaded confidential data to an Amazon S3 bucket outside the company. The company's security team wants to prevent this scenario from occurring in the future. The company owns 100 different S3 buckets in various AWS accounts and uses AWS Organizations to manage the accounts.

The security team must implement a solution that allows individual teams to create new S3 buckets. The solution must allow applications that are deployed on AWS to access only the S3 buckets that are deployed in the company's organization.

Which solution will meet these requirements?

Answer options

• A. Create an S3 access point in each private subnet. Route all S3 requests to this access point. Create an S3 access point policy that restricts access to specific S3 buckets. Update all S3 access point policies when new S3 buckets are created in the organization.
• B. Create an S3 gateway endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 gateway endpoint policy that restricts access to specific S3 buckets. Update all S3 gateway endpoint policies when new S3 buckets are created in the organization,
• C. Create an S3 interface endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 interface endpoint policy that restricts access to specific S3 buckets. Update all S3 interface endpoint policies when new S3 buckets are created in the organization.
• D. Create a Gateway Load Balancer endpoint in each private subnet. Route all S3 requests to this endpoint. Create a Gateway Load Balancer endpoint policy that restricts access to specific S3 buckets. Update all Gateway Load Balancer endpoint policies when new S3 buckets are created in the organization.

Correct answer: B

Explanation

An S3 gateway endpoint allows resources in a private subnet to securely connect to Amazon S3, and its endpoint policy can be configured to restrict access only to specific, trusted S3 buckets within the organization. While S3 interface endpoints also support policies, gateway endpoints are the standard and cost-effective solution for routing S3 traffic directly from a VPC without incurring data processing charges. Gateway Load Balancers and S3 access points do not serve as the primary routing mechanism to restrict outbound VPC traffic to specific S3 buckets.