AWS SAA-C03 #208

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.


The correct answer is A.

You should create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Then, attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

This solution meets all the requirements because it ensures that no API calls and no data are routed through public internet routes, and only the EC2 instance can have access to upload data to the S3 bucket.

The other options (B, C, and D) are not correct because they either do not provide the necessary security or they involve routing data through public internet routes, which is against the requirements.

Sure, here's why the other options are incorrect:

Option B: A gateway VPC endpoint for Amazon S3 does not support private DNS, so requests to the S3 bucket could be routed over the public internet. Also, security groups cannot be attached to a gateway VPC endpoint.

Option C: The nslookup tool cannot be used to obtain the private IP address of the S3 bucket's service API endpoint. Amazon S3 is a regional service and does not have a private IP address.

Option D: The ip-ranges.json file provided by AWS lists public IP address ranges, not private IP addresses. Therefore, this method would not meet the requirement to avoid routing data through public internet routes.

In all these options, the data transfer does not stay within the Amazon network, which is a violation of the stated requirements.

相关推荐
weixin_307779131 小时前
Azure上基于OpenAI GPT-4模型验证行政区域数据的设计方案
数据仓库·python·云计算·aws
weixin_3077791310 小时前
AWS上Amazon Redshift用Zoominfo API验证公司基本信息数据正确性检查设计方案
数据仓库·python·云计算·aws
AWS官方合作商15 小时前
泛娱乐行业技术突围:AWS云服务如何重塑数字娱乐新生态?
架构·云计算·aws
亲持红叶1 天前
免费白嫖aws云主机
服务器·云计算·aws
AWS官方合作商1 天前
基于AWS的证券交易系统架构设计与核心技术实践
架构·系统架构·云计算·aws
佛州小李哥1 天前
利用亚马逊AI代码助手生成、构建和编译一个游戏应用(下)
人工智能·科技·ai·开发·aws·代码·亚马逊云科技
F——3 天前
云计算——AWS Solutions Architect – Associate(saa)7.放置群组
运维·学习·安全·云计算·aws
HaoHao_0103 天前
AWS AppFabric
服务器·云计算·aws·云服务器
F——3 天前
云计算——AWS Solutions Architect – Associate(saa)6.CloudWatch
服务器·学习·云计算·aws
佛州小李哥3 天前
云原生AI Agent应用安全防护方案最佳实践(上)
人工智能·安全·ai·语言模型·云计算·aws·亚马逊云科技