AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is storing sensitive user information in an Amazon S3 bucket. The company wants to provide secure access to this bucket from the application tier running on Amazon EC2 instances inside a VPC.
Which combination of steps should a solutions architect take to accomplish this? (Choose two.)
Other
Community
UAnonymous
A
Configure a VPC gateway endpoint for Amazon S3 within the VPC.
B
Create a bucket policy to make the objects in the S3 bucket public.
C
Create a bucket policy that limits access to only the application tier running in the VPC.
D
Create an IAM user with an S3 access policy and copy the IAM credentials to the EC2 instance.
E
Create a NAT instance and have the EC2 instances use the NAT instance to access the S3 bucket.
Explanation:
Explanation
Correct Answers: A and C
A. Configure a VPC gateway endpoint for Amazon S3 within the VPC.
- A VPC endpoint for S3 allows EC2 instances within the VPC to access S3 buckets without going through the public internet.
- This provides secure, private connectivity between the VPC and S3 service.
- It uses AWS's internal network infrastructure, enhancing security by keeping traffic within the AWS network.
C. Create a bucket policy that limits access to only the application tier running in the VPC.
- A bucket policy can restrict access to specific VPC endpoints or specific VPCs.
- This ensures that only resources within the specified VPC can access the sensitive data in the S3 bucket.
- Combined with the VPC endpoint, this creates a secure, private connection between the EC2 instances and S3.
Why other options are incorrect:
B. Create a bucket policy to make the objects in the S3 bucket public.
- This would expose sensitive user information to the public internet, which is a major security risk.
- Sensitive data should never be made publicly accessible.
D. Create an IAM user with an S3 access policy and copy the IAM credentials to the EC2 instance.
- While IAM roles are the recommended approach for EC2 instances, copying IAM user credentials to EC2 instances is not secure.
- Credentials can be compromised, rotated, or leaked.
- The better approach is to use IAM roles attached to EC2 instances, which provide temporary credentials.
E. Create a NAT instance and have the EC2 instances use the NAT instance to access the S3 bucket.
- NAT instances are used for outbound internet access from private subnets, not for accessing AWS services privately.
- This would route traffic through the public internet, which is less secure than using VPC endpoints.
- NAT instances add complexity and cost without providing the security benefits of VPC endpoints.
Best Practice Approach:
- Create a VPC endpoint for S3 to enable private connectivity.
- Configure S3 bucket policies to restrict access to the VPC endpoint or specific VPC.
- Use IAM roles attached to EC2 instances for authentication (not mentioned in options but is AWS best practice).
- Ensure the S3 bucket is not publicly accessible.
- Consider using VPC endpoint policies for additional access control.
Comments
Loading comments...