AWS Certified SysOps Administrator – Associate (legacy) — Question 714

A user needs to put sensitive data in an Amazon S3 bucket that can be accessed through an S3 VPC endpoint only. The user must ensure that resources in the
VPC can only access the single S3 bucket.
Which combination of actions will meet the requirements? (Choose two.)

Answer options

• A. Configure the bucket policy to only allow access through the S3 Private Endpoint.
• B. Modify the VPC endpoint policy on the bucket to only allow the VPC to access it.
• C. Modify the VPC peering configuration to only allow access to the S3 private Endpoint.
• D. Configure the VPC endpoint policy to only allow the VPC to access the specific S3 bucket.
• E. Configure the IAM policy attached to the S3 bucket to only allow access from the specific VPC.

Correct answer: A, D

Explanation

To restrict S3 bucket access solely through the S3 VPC endpoint, a bucket policy must be configured using the aws:sourceVpce condition to enforce this path (Option A). To ensure resources within the VPC cannot access any other S3 buckets, the VPC endpoint policy itself must be modified to explicitly restrict allowed destinations to only the target S3 bucket (Option D). Other options like modifying VPC peering or applying incorrect policies do not satisfy these dual security constraints.