Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 527 discussion

B: Creating an S3 access point in the data scientists' AWS account provides a secure and controlled way to expose the data lake to EC2 instances. The access point allows you to manage who can access the bucket, and you can configure the bucket policy to include conditions that restrict access. E: Adding an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN provides additional security and control over who can access the data lake. This ensures that only authorized networks (in this case, the data scientists' AWS account) can access the bucket.

BE. https://aws.amazon.com/blogs/storage/setting-up-cross-account-amazon-s3-access-with-s3-access-points/

I feel the combination of A,B and E would be the correct answer

This question is really bad. It feels like if A is selected, then E needs to be adjusted to enable access between VPC endpoints and the bucket directly Or if B is selected, then B needs to be reworded to say creating access point in data lake account, then E would be valid without any modification

B & E are correct options. A isn't correct because gateway VPC endpoint doesn't work outside of VPC. In this question, we are talking about 2 different accounts which implies 2 different VPCs as well

S3 Access Point should be created in destination account. You need VPC endpoint to keep the network private. This question might just assumed that the S3 access point is already created in destination account

S3 access point is used If you want to share your bucket with other accounts

Gateway endpoint do not work cross account, so BE. owever, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

Anyone who is picking A/E - please realize DataAccessPointArn ONLY WORKS when there is an access point created. A does NOT mention creating an Access Point. B is completely possible and combine with E restricts all traffic coming from the VPC that has the acccess point mentioned in B. B+E is the correct answer

a,d gateway VPC endpoint needs config route table

A, E are correct

A, E for sure. Only authorized networks are allowed to have access to the IoT data.

Need access from different AWS account with restrictions. So it is BE

A. This step ensures that the traffic between the EC2 instances and the S3 data lake does not traverse the public internet, thereby meeting security requirements and reducing latency. E. This step ensures that the access to the data lake is restricted according to company policies. It leverages an S3 bucket policy to enforce access control based on specific conditions, thereby providing an additional layer of security.

A. This step ensures that the traffic between the EC2 instances and the S3 data lake does not traverse the public internet, thereby meeting security requirements and reducing latency. C. This step ensures that the access to the data lake is restricted according to company policies. It leverages an S3 bucket policy to enforce access control based on specific conditions, thereby providing an additional layer of security.

B S3 access points allow fine-grained control of access policies and network settings for specific S3 buckets. E s3:DataAccessPointArn must be used to set permissions on the S3 bucket side for going through the access point. role settings in C do not have settings to determine the access point on the bucket side.