AWS Certified SysOps Administrator – Associate (legacy) — Question 638

A company wants to store sensitive data in Amazon S3. The S3 bucket and its contents must be accessible only from the on-premises corporate network.
What should a SysOps administrator do to configure the S3 bucket policy statement?

Answer options

• A. Use a Deny effect with a condition based on the aws:sourceVpc key.
• B. Use a Deny effect with a condition based on the NotIpAddress key.
• C. Use an Allow effect with a condition based on the IpAddress key.
• D. Use an Allow effect with a condition based on the s3:LocationConstraint key.

Correct answer: A

Explanation

To securely restrict access to an S3 bucket from an on-premises network routed through a VPC (via VPN or Direct Connect), using a Deny effect combined with the aws:sourceVpc key is the most robust approach to block all non-conforming traffic. Relying solely on Allow effects with IP addresses can leave the bucket vulnerable to misconfigurations or unauthorized access outside the specified VPC boundary. The s3:LocationConstraint key is used for specifying geographic regions during bucket creation and is not suitable for network access control.