A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.
Which solution will meet these requirements?
A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
The correct answer is A.
You should create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Then, attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
This solution meets all the requirements because it ensures that no API calls and no data are routed through public internet routes, and only the EC2 instance can have access to upload data to the S3 bucket.
The other options (B, C, and D) are not correct because they either do not provide the necessary security or they involve routing data through public internet routes, which is against the requirements.
Sure, here's why the other options are incorrect:
Option B: A gateway VPC endpoint for Amazon S3 does not support private DNS, so requests to the S3 bucket could be routed over the public internet. Also, security groups cannot be attached to a gateway VPC endpoint.
Option C: The nslookup tool cannot be used to obtain the private IP address of the S3 bucket's service API endpoint. Amazon S3 is a regional service and does not have a private IP address.
Option D: The ip-ranges.json file provided by AWS lists public IP address ranges, not private IP addresses. Therefore, this method would not meet the requirement to avoid routing data through public internet routes.
In all these options, the data transfer does not stay within the Amazon network, which is a violation of the stated requirements.