Topic 1 Question 208
A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.
Which solution will meet these requirements?
Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: A
I think answer should be A and not B. as we cannot "Attach a security groups to a gateway endpoint."
👍 8SSASSWS2022/11/28 - 正解だと思う選択肢: B
The correct solution to meet the requirements is Option B. A gateway VPC endpoint for Amazon S3 should be created in the Availability Zone where the EC2 instance is located. This will allow the EC2 instance to access the S3 bucket directly, without routing through the public internet. The endpoint should also be configured with appropriate security groups to allow access to the S3 bucket. Additionally, a resource policy should be attached to the S3 bucket to only allow the EC2 instance's IAM role for access.
👍 7Buruguduystunstugudunstuy2022/12/23 - 正解だと思う選択肢: A
Both (Gateway and Interface) VPC endpoints allow to access S3 privately over AWS network. VPC gateway usually is preferred when private access to S# is needed form EC2 in some VPC, because it free of charge, easy to set up and scalable.
To setup properly access via gateway VPC endpoint is required to edit route tables, but in answer choice it's not mentioned, so without it connection will not work.
So by elimination we may select A as correct answer.
👍 3romko2022/12/19
シャッフルモード