Learn how to securely access an S3 data lake from hundreds of applications across multiple AWS accounts while meeting strict security requirements。
Table of Contents
Question
A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts. The company’s information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.
To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.
Which combination of steps should the solutions architect take to implement this solution? (Choose two.)
A. Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
B. Create an interface endpoint for Amazon S3 in each application’s VPC. Configure the endpoint policy to allow access to an S3 access point. Create a VPC gateway attachment for the S3 endpoint.
C. Create a gateway endpoint for Amazon S3 in each application’s VPConfigure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point.
D. Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
E. Create a gateway endpoint for Amazon S3 in the data lake’s VPC. Attach an endpoint policy to allow access to the S3 bucket. Specify the route table that is used to access the bucket.
Answer
A. Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
D. Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
Explanation
Both of these options meet the requirements of the given scenario. By creating an S3 access point for each application and configuring it to be accessible only from the application’s VPC, access to the S3 bucket is restricted to specific VPCs, ensuring that it cannot be accessed over the public internet. Additionally, updating the bucket policy to require access from an access point ensures that each application has the minimum permissions necessary to function.
The key difference between options A and D is that option A assumes all applications are in the same AWS account as the S3 bucket, while option D accounts for the scenario where applications are spread across multiple AWS accounts.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.