AWS Certified Solutions Architect – Associate (SAA-C02) — Question 364

A company is storing sensitive user information in an Amazon S3 bucket. The company wants to provide secure access to this bucket from the application tier running on Amazon EC2 instances inside a VPC.
Which combination of steps should a solutions architect take to accomplish this? (Choose two.)

Answer options

• A. Configure a VPC gateway endpoint for Amazon S3 within the VPC.
• B. Create a bucket policy to make the objects in the S3 bucket public.
• C. Create a bucket policy that limits access to only the application tier running in the VPC.
• D. Create an IAM user with an S3 access policy and copy the IAM credentials to the EC2 instance.
• E. Create a NAT instance and have the EC2 instances use the NAT instance to access the S3 bucket.

Correct answer: A, C

Explanation

Creating a VPC gateway endpoint for Amazon S3 (Option A) allows private connectivity between the VPC and S3 without traversing the public internet, ensuring secure data transit. Implementing an S3 bucket policy that restricts access to the VPC's resources (Option C) ensures that only the application tier within the VPC can access the sensitive data. Making the bucket public (Option B) or storing long-term IAM credentials on EC2 instances (Option D) introduces significant security risks, while using a NAT instance (Option E) does not provide private, direct VPC endpoint integration.