AWS Certified Solutions Architect – Professional — Question 9

A company uses Amazon S3 to store documents that may only be accessible to an Amazon EC2 instance in a certain virtual private cloud (VPC). The company fears that a malicious insider with access to this instance could also set up an EC2 instance in another VPC to access these documents.
Which of the following solutions will provide the required protection?

Answer options

• A. Use an S3 VPC endpoint and an S3 bucket policy to limit access to this VPC endpoint.
• B. Use EC2 instance profiles and an S3 bucket policy to limit access to the role attached to the instance profile.
• C. Use S3 client-side encryption and store the key in the instance metadata.
• D. Use S3 server-side encryption and protect the key with an encryption context.

Correct answer: A

Explanation

The correct answer is A, as using an S3 VPC endpoint along with a bucket policy effectively restricts access to only the specified VPC, preventing any unauthorized EC2 instances from accessing the documents. Option B does not fully prevent access from other VPCs, while options C and D do not address network-level access control, making them insufficient for the scenario presented.