AWS Certified Solutions Architect – Associate (SAA-C02) — Question 132

An application is running on Amazon EC2 instances. Sensitive information required for the application is stored in an Amazon S3 bucket. The bucket needs to be protected from internet access while only allowing services within the VPC access to the bucket.
Which combination of actions should solutions archived take to accomplish this? (Choose two.)

Answer options

• A. Create a VPC endpoint for Amazon S3.
• B. Enable server access logging on the bucket.
• C. Apply a bucket policy to restrict access to the S3 endpoint.
• D. Add an S3 ACL to the bucket that has sensitive information.
• E. Restrict users using the IAM policy to use the specific bucket.

Correct answer: A, C

Explanation

Creating a VPC endpoint for Amazon S3 (Option A) allows traffic from the VPC to reach the S3 bucket without going through the internet, ensuring internal access while blocking external requests. Applying a bucket policy to restrict access to the S3 endpoint (Option C) further secures the bucket by specifying that only requests originating from the VPC endpoint can access it. The other options do not effectively restrict internet access or focus on VPC-based access.