AWS Certified Solutions Architect – Professional (SAP-C02) — Question 512

A company is collecting data from a large set of IoT devices. The data is stored in an Amazon S3 data lake. Data scientists perform analytics on Amazon EC2 instances that run in two public subnets in a VPC in a separate AWS account.

The data scientists need access to the data lake from the EC2 instances. The EC2 instances already have an assigned role with permissions to access Amazon S3.
According to company policies, only authorized networks are allowed to have access to the IoT data.

Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Create a gateway VPC endpoint for Amazon S3 in the data scientists’ VPC.
• B. Create an S3 access point in the data scientists' AWS account for the data lake.
• C. Update the EC2 instance role. Add a policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.
• D. Update the VPC route table to route S3 traffic to an S3 access point.
• E. Add an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.

Correct answer: A, E

Explanation

Creating a gateway VPC endpoint allows private connectivity from the data scientists' VPC to Amazon S3, satisfying the requirement to keep traffic within authorized networks. Applying an S3 bucket policy with a condition restricting access based on the s3:DataAccessPointArn ensures that only requests coming through the designated, authorized access point are permitted. Other options like routing VPC traffic directly to an access point or modifying the EC2 instance role do not enforce the necessary bucket-level security controls for cross-account access.