Topic 1 Question 243
2 つ選択A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts. The company's information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.
To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.
Which combination of steps should the solutions architect take to implement this solution?
Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
Create an interface endpoint for Amazon S3 in each application's VPC. Configure the endpoint policy to allow access to an S3 access point. Create a VPC gateway attachment for the S3 endpoint.
Create a gateway endpoint for Amazon S3 in each application's VPConfigure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point.
Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application's VPC. Update the bucket policy to require access from an access point.
Create a gateway endpoint for Amazon S3 in the data lake's VPC. Attach an endpoint policy to allow access to the S3 bucket. Specify the route table that is used to access the bucket.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: AC
For those who struggle on why A but not D as they are almost identical like I did: A: Create an S3 access point for each application in THE AWS account D: Create an S3 access point for each application in EACH AWS account
Not sure if this is technical or English exam.
👍 5joleneinthebackyard2023/10/30 - 正解だと思う選択肢: AC
A ) manage with granular permissions from the master account the connection to the bucket sounds like a good idea and according to what is required B ) interface endpoint , usually use case is for enable public connection , not is required is incorrect in this case C) Gateway Endpoint, it is usually used for the internal AWS network which would be useful in this additional case that is configured for each account and client application which is granular, sounds like a good idea D ) use access point in the clients, but it does not make sense because the one who will grant the permissions has to be the owner of the bucket so we discard it E ) gateway endpoint , doesn't sound appropriate in the owner's bucket because you have to use granular permissions as directed with the access point
Then correct is AC
👍 3SkyZeroZx2023/06/28 can anyone tell me why B is incorrect from what i know gateway endpoint resolves to Public AWS IP interface endpoint is completely private please correct me if wrong
👍 3chikorita2023/08/24
シャッフルモード