Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 243 discussion

For those who struggle on why A but not D as they are almost identical like I did: A: Create an S3 access point for each application in THE AWS account D: Create an S3 access point for each application in EACH AWS account Not sure if this is technical or English exam.

see details step in below link where 'Create an Amazon S3 gateway endpoint in your VPC' https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

https://repost.aws/knowledge-center/s3-access-bucket-restricted-to-vpc

A and C in my opinion. Interface Endpoint is for EC2 generally, when we need a private IP. Gateway Endpoint is suitable in 95% cases when there are DynamoDB and S3 secure connectivity.

A & C Why not B? Interface endpoints are used for services that require a private IP address within the VPC, such as Amazon EC2, Amazon ECS, or Amazon SNS. Gateway endpoints, on the other hand, are used for services that are accessed using their public endpoint, such as Amazon S3 and Amazon DynamoDB. Since the scenario involves accessing an S3 bucket, a gateway endpoint is the appropriate choice, not an interface endpoint.

Correct:A,B https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

Gateway Endpoint only allows resources within the VPC to connect to S3. It is not possible to provide the gateway endpoint across many AWS accounts

I don't think C can achieve the requirement. At least according to this https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html. Here's why. "100's of AWS Accounts" hints about possibility of cross region access. Gateway Endpoints can't allow access from VPCs in other regions. Gateway endpoint is to access from own VPC.

It's A+B. A sets up S3 Access Points, one for each accessing application, in the data lake account (the S3 account) which are configured with policies giving each application least-privilege access. B then sets up PrivateLink access (==interface endpoints) in each of the application accounts. C is out because gateway endpoints can't take policies. D is less efficient than A+B E is too simplistic - one gateway endpoint is not enough..

A is valid, but C can't be configured for fine-grained access since it involves a gateway endpoint. Therefore: B as this is possible with a PrivateLink (==interface endpoint)

Answer is A & B. C is not suitable based on AWS Gateway endpoints documentation - "Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

A & C are right.

https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

Answer is AB, because gateway VPC does not have access to S3 access point. And interface VPC endpoint allos access to S3 access point. Note from ChatGPT: As of my last knowledge update in September 2021, Gateway VPC Endpoints for Amazon S3 do not support direct access to S3 access points. Gateway VPC Endpoints are designed to provide private connectivity from your Amazon Virtual Private Cloud (VPC) to S3, but they do not inherently support access to S3 access points.

A. By creating an S3 access point for each application in the AWS account that owns the S3 bucket and configuring it to be accessible only from the application's VPC, you ensure that each application has the minimum necessary permissions and can access the data lake securely. C. Creating a gateway endpoint for Amazon S3 in each application's VPC and configuring the endpoint policy to allow access to an S3 access point ensures that traffic from each VPC is directed through the S3 access point and adheres to the security requirements. Specifying the route table that is used to access the access point is an essential part of the configuration. This combination of steps helps you meet your security and access requirements by using S3 access points and VPC endpoints for each application. It ensures that the data lake is accessed securely and that access permissions are correctly configured.

Gateway endpoint is public where as S3 access point and Interface endpoint can be private and limited to VPC. https://aws.amazon.com/s3/features/access-points/

can anyone tell me why B is incorrect from what i know gateway endpoint resolves to Public AWS IP interface endpoint is completely private please correct me if wrong