A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applicati…

Question

A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts. The company's information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.
To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.
Which combination of steps should the solutions architect take to implement this solution? (Choose two.)

Accepted Answer

Correct answer: A, C. A. Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application's VPC. Update the bucket policy to require access from an access point — C. Create a gateway endpoint for Amazon S3 in each application's VPC. Configure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point. — To configure S3 access points for cross-account access, the access points must be created in the AWS account that owns the destination S3 bucket (Option A), not the caller accounts. Using S3 gateway endpoints in each application's VPC (Option C) allows secure, private routing directly to the S3 access points via VPC route tables without traversing the public internet. Options B and E are incorrect because they propose invalid VPC endpoint attachments or restrict routing to the data lake's VPC rather than the individual applications' VPCs.

AWS Certified Solutions Architect – Professional — Question 470

Answer options

Correct answer: A, C

Explanation