AWS Certified Solutions Architect – Professional — Question 767

A company wants to use Amazon S3 for object storage. Users must be able to access the objects from devices that are connected to their on-premises private network or Amazon EC2 instances. The company has configured AWS Direct Connect and AWS Site-to-Site VPN as a backup. The company does not want to route S3 traffic over the public Internet. The company also requires all data that is stored in S3 buckets to be appropriately classified by data type with a tag named DataClassification.

Which combination of steps should a solutions architect take to meet these requirements? (Choose three.)

Answer options

• A. Configure a gateway VPC endpoint to securely route traffic from on premises to the S3 buckets. Configure an interface VPC endpoint to route traffic between the S3 buckets and EC2 instances over the AWS private network.
• B. Configure an interface VPC endpoint to securely route traffic from on premises to the S3 buckets. Configure a gateway VPC endpoint to route traffic between the S3 buckets and EC2 instances over the AWS private network.
• C. Configure Amazon GuardDuty to identify S3 buckets that are missing the DataClassification tag. Create an Amazon Simple Notification Service (Amazon SNS) topic. Deliver notifications to the topic whenever an untagged S3 bucket is identified.
• D. Configure AWS Security Hub to identify S3 buckets that are missing the DataClassification tag. Create an Amazon Simple Notification Service (Amazon SNS) topic. Deliver notifications to the topic whenever an untagged S3 bucket is identified.
• E. Configure AWS Config to identify S3 buckets that are missing the DataClassification tag. Generate a report of all resources that AWS Config identifies as missing the tag.
• F. Configure Amazon Macie to scan all S3 buckets in the account on a scheduled basis. Integrate Macie with Amazon EventBridge (Amazon CloudWatch Events). Create an AWS Lambda function to validate the data classification inferred by Macie and to add the missing tag.

Correct answer: B, E, F

Explanation

Interface VPC endpoints (AWS PrivateLink) are required for on-premises systems to reach Amazon S3 over Direct Connect or VPN because gateway VPC endpoints cannot be accessed from outside a VPC. Conversely, EC2 instances within the VPC can use a gateway VPC endpoint to access S3 privately and cost-effectively. For the tagging and classification requirements, AWS Config is ideal for auditing resource tags, while Amazon Macie is the correct service for scanning S3 bucket content to automatically discover, classify, and trigger Lambda functions via EventBridge to apply the appropriate DataClassification tags.