AWS Certified Solutions Architect – Associate (SAA-C02) — Question 120

A company mandates that an Amazon S3 gateway endpoint must allow traffic to trusted buckets only.
Which method should a solutions architect implement to meet this requirement?

Answer options

• A. Create a bucket policy for each of the company's trusted S3 buckets that allows traffic only from the company's trusted VPCs.
• B. Create a bucket policy for each of the company's trusted S3 buckets that allows traffic only from the company's S3 gateway endpoint IDs.
• C. Create an S3 endpoint policy for each of the company's S3 gateway endpoints that blocks access from any VPC other than the company's trusted VPCs.
• D. Create an S3 endpoint policy for each of the company's S3 gateway endpoints that provides access to the Amazon Resource Name (ARN) of the trusted S3 buckets.

Correct answer: D

Explanation

The correct answer is D because creating an S3 endpoint policy that specifies access to the ARNs of trusted S3 buckets directly controls traffic to those buckets. Options A and B focus on bucket policies which are not the correct method for controlling access at the gateway endpoint level. Option C incorrectly suggests blocking access rather than explicitly allowing it.