AWS Certified Security – Specialty — Question 358

A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint. The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?

Answer options

• A. Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.
• B. Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.
• C. Verify that the internet gateway is allowing traffic to Amazon S3.
• D. Verify that the VPC endpoint policy is allowing access to Amazon S3.

Correct answer: D

Explanation

Gateway VPC endpoints use resource-based endpoint policies to control which principals can access which services through the endpoint. If this policy is too restrictive, it will block the connection despite correct IAM and bucket policies. Note that gateway endpoints do not use security groups, and traffic is routed through the endpoint rather than the internet gateway, making the other options incorrect.