AWS SAA-C03 #208

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.


The correct answer is A.

You should create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Then, attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

This solution meets all the requirements because it ensures that no API calls and no data are routed through public internet routes, and only the EC2 instance can have access to upload data to the S3 bucket.

The other options (B, C, and D) are not correct because they either do not provide the necessary security or they involve routing data through public internet routes, which is against the requirements.

Sure, here's why the other options are incorrect:

Option B: A gateway VPC endpoint for Amazon S3 does not support private DNS, so requests to the S3 bucket could be routed over the public internet. Also, security groups cannot be attached to a gateway VPC endpoint.

Option C: The nslookup tool cannot be used to obtain the private IP address of the S3 bucket's service API endpoint. Amazon S3 is a regional service and does not have a private IP address.

Option D: The ip-ranges.json file provided by AWS lists public IP address ranges, not private IP addresses. Therefore, this method would not meet the requirement to avoid routing data through public internet routes.

In all these options, the data transfer does not stay within the Amazon network, which is a violation of the stated requirements.

相关推荐
thinktik8 小时前
还在手把手教AI写代码么? 让你的AWS Kiro AI IDE直接读飞书需求文档给你打工吧!
后端·serverless·aws
Amy_au2 天前
Dotnet 项目手动部署到AWS 和Github action CICD 流程总结
云计算·aws
我不是小upper3 天前
使用 Terraform、AWS 和 Python 构建无服务器实时数据管道
serverless·aws·terraform
运维开发王义杰4 天前
信息安全:GitLab与AWS OIDC集成的深度解析,IAM信任策略中的条件配置
云计算·gitlab·aws
阿雄不会写代码5 天前
python-pptx 库(最常用,适合生成/修改 PPT 文件)
云计算·aws
AWS官方合作商6 天前
构建企业级区块链网络:基于AWS EC2的弹性、高可用解决方案
网络·区块链·aws
fyihdg7 天前
aws上创建jenkins
云计算·aws
TG_yilongcloud7 天前
亚马逊云代理商:如何选择适合的AWS EC2实例类型?
服务器·云计算·aws·实例类型
运维开发王义杰8 天前
AWS:AssumeRole背后真正的安全哲学,不仅是迂回
安全·云计算·aws
一袋米扛几楼9810 天前
【物联网】BLE 系统架构全景图
python·物联网·aws