Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 527 discussion

Migration Evalutor is a cost comparison calculator that looks at what you are currently spending on-premises versus what you would spend on AWS

Why not the others? B (Create an S3 access point in the data scientists' AWS account): Access points are created in the bucket owner’s account (the data lake account), not in the data scientists’ account. So this is not applicable here. C (Update the EC2 instance role with s3:DataAccessPointArn condition): The IAM role on EC2 controls permissions for the instance, but the bucket policy is the primary place to restrict access by network or access point. The EC2 role already has permissions, so this is not necessary. D (Update the VPC route table to route S3 traffic to an S3 access point): Route tables route traffic to VPC endpoints, not to S3 access points. Access points are used in bucket policies and requests, not routing.

A: Enables secure private S3 access using Gateway Endpoint E: Bucket policy enforces access only via secure access point

The question is really about network policies instead of object policies assuming that is already being in place that is reason i am favoring C

A gateway VPC endpoint allows EC2 instances to access S3 privately without using the public internet. E. The S3 bucket policy ensures that only authorized access via the S3 access point is permitted. B is wrong because S3 Access Points are tied to the bucket’s AWS account, not the requester's AWS account. The access point should be created in the same AWS account as the S3 data lake, not in the data scientists’ account.

A: Gateway VPC endpoints provide secure access to S3 without requiring internet access. Can be used in a multi-account setting. E: Bucket policies can restrict access to specific VPC endpoints. Not B: While S3 access points can be useful, they're not necessary in this scenario where the primary requirement is network-level access control.

B: Creating an S3 access point in the data scientists' AWS account provides a secure and controlled way to expose the data lake to EC2 instances. The access point allows you to manage who can access the bucket, and you can configure the bucket policy to include conditions that restrict access. E: Adding an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN provides additional security and control over who can access the data lake. This ensures that only authorized networks (in this case, the data scientists' AWS account) can access the bucket.

BE. https://aws.amazon.com/blogs/storage/setting-up-cross-account-amazon-s3-access-with-s3-access-points/

I feel the combination of A,B and E would be the correct answer

This question is really bad. It feels like if A is selected, then E needs to be adjusted to enable access between VPC endpoints and the bucket directly Or if B is selected, then B needs to be reworded to say creating access point in data lake account, then E would be valid without any modification

B & E are correct options. A isn't correct because gateway VPC endpoint doesn't work outside of VPC. In this question, we are talking about 2 different accounts which implies 2 different VPCs as well

S3 Access Point should be created in destination account. You need VPC endpoint to keep the network private. This question might just assumed that the S3 access point is already created in destination account

S3 access point is used If you want to share your bucket with other accounts

Gateway endpoint do not work cross account, so BE. owever, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

Anyone who is picking A/E - please realize DataAccessPointArn ONLY WORKS when there is an access point created. A does NOT mention creating an Access Point. B is completely possible and combine with E restricts all traffic coming from the VPC that has the acccess point mentioned in B. B+E is the correct answer

a,d gateway VPC endpoint needs config route table

A, E are correct