AWS SAA-C03 #208

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.


The correct answer is A.

You should create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Then, attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

This solution meets all the requirements because it ensures that no API calls and no data are routed through public internet routes, and only the EC2 instance can have access to upload data to the S3 bucket.

The other options (B, C, and D) are not correct because they either do not provide the necessary security or they involve routing data through public internet routes, which is against the requirements.

Sure, here's why the other options are incorrect:

Option B: A gateway VPC endpoint for Amazon S3 does not support private DNS, so requests to the S3 bucket could be routed over the public internet. Also, security groups cannot be attached to a gateway VPC endpoint.

Option C: The nslookup tool cannot be used to obtain the private IP address of the S3 bucket's service API endpoint. Amazon S3 is a regional service and does not have a private IP address.

Option D: The ip-ranges.json file provided by AWS lists public IP address ranges, not private IP addresses. Therefore, this method would not meet the requirement to avoid routing data through public internet routes.

In all these options, the data transfer does not stay within the Amazon network, which is a violation of the stated requirements.

相关推荐
qq_3391911410 小时前
aws docker安装,ec2安装docker-compose
docker·云计算·aws
电话交换机IPPBX-3CX10 小时前
电话交换机IPPBX的数据存储在AWS亚马逊云
aws·ip pbx·电话交换机
qq_3391911414 小时前
aws ec服务器统一为国内时间。ec 设置上海
服务器·云计算·aws
福大大架构师每日一题1 天前
nginx 1.29.2 发布:AWS-LC 支持、QUIC及SSL优化等重要更新
nginx·ssl·aws
qq_339191141 天前
aws ec服务器设置密码登录,ec服务器root登录 aws服务器初始化配置
服务器·github·aws
王道长AWS_服务器1 天前
AWS Route 53:DNS 不止能解析,还能做全球流量调度
后端·aws
王道长服务器 | 亚马逊云3 天前
AWS Shield 与海外高防服务器的对比分析
服务器·云计算·aws
weixin_307779133 天前
AWS云上ClickHouse数据仓库部署方案详解
开发语言·clickhouse·自动化·云计算·aws
Amy_au3 天前
AWS Lambda 学习笔
学习·云计算·aws
潇凝子潇3 天前
AWS CLI自动删除资源脚本
chrome·云计算·aws