ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 980 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 980
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company hosts its application on several Amazon EC2 instances inside a VPC. The company creates a dedicated Amazon S3 bucket for each customer to store their relevant information in Amazon S3.

The company wants to ensure that the application running on EC2 instances can securely access only the S3 buckets that belong to the company’s AWS account.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create a gateway endpoint for Amazon S3 that is attached to the VPC. Update the IAM instance profile policy to provide access to only the specific buckets that the application needs.
  • B. Create a NAT gateway in a public subnet with a security group that allows access to only Amazon S3. Update the route tables to use the NAT Gateway.
  • C. Create a gateway endpoint for Amazon S3 that is attached to the VPUpdate the IAM instance profile policy with a Deny action and the following condition key:


  • D. Create a NAT Gateway in a public subnet. Update route tables to use the NAT Gateway. Assign bucket policies for all buckets with a Deny action and the following condition key:

Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by toyaji at Sept. 11, 2024, 7:13 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
toyaji
Highly Voted 10 months ago
Selected Answer: C
B, C is not secure way because NAT gateway is for internet-facing outbound. A is not correct because company will create dedicated bucket for each customers it means number of buckets will increase dynamically. so you cant list all on profile.
upvoted 5 times
...
LeonSauveterre
Most Recent 6 months ago
Selected Answer: C
A - It doesn’t explicitly ensure that access is limited to buckets only owned by the company. We need further adjustments to enforce this restriction (like adding a Condition key). B & D - NAT gateways route traffic over the internet, so it's not so secure or cost-effective as S3 Gateway Endpoint. C - Use an S3 Gateway Endpoint and restrict access using an IAM policy with a condition to deny access to any S3 resource outside the company’s account. Simple, secure, and easy to understand.
upvoted 3 times
...
trinh_le
6 months, 1 week ago
Selected Answer: A
A. Allows option fits to minimum permission policy C. Deny action is complexity and hard to debug
upvoted 2 times
...
Denise123
6 months, 1 week ago
Selected Answer: C
The requirement in the question is to ensure that the EC2 instances can securely access only the S3 buckets that belong to (are owned by) the company's AWS account. In that context, using the "StringNotEquals": {"S3ResourceAccount":["CompanyAWSAcctNumber"]} condition key in the IAM instance profile policy is a valid approach. This condition key restricts access to S3 buckets that are not owned by the specified AWS account number (the company's account). By setting a Deny with this condition, it effectively allows access only to the S3 buckets owned by the company's AWS account.
upvoted 3 times
...
Denise123
6 months, 1 week ago
Selected Answer: A
By choosing Option A, the company can leverage the simplicity and security of VPC Gateway Endpoints for Amazon S3, combined with IAM instance profile policies to grant selective access to the required S3 buckets. This solution provides the necessary isolation and access control with minimal operational overhead, making it the most efficient and scalable approach. Option C and other options have limitations or introduce additional operational overhead Option C (Creating a Gateway Endpoint and using a Deny policy with S3ResourceAccount condition) is not a valid approach. The S3ResourceAccount condition key is used to restrict access based on the AWS account that owns the S3 bucket, not the AWS account that is accessing the bucket.
upvoted 1 times
Denise123
6 months, 1 week ago
Ignore. After re-reading the question carefully, Option C is actually a valid solution. The right answer is C and I wrote exactly that in my answer myself lol. In the question it says "BELONGS TO" (which I failed to read correctly) The requirement in the question is to ensure that the EC2 instances can securely access only the S3 buckets that belong to (are owned by) the company's AWS account. In that context, using the "StringNotEquals": {"S3ResourceAccount":["CompanyAWSAcctNumber"]} condition key in the IAM instance profile policy is a valid approach. This condition key restricts access to S3 buckets that are not owned by the specified AWS account number (the company's account). By setting a Deny with this condition, it effectively allows access only to the S3 buckets owned by the company's AWS account.
upvoted 2 times
GOTJ
5 months, 1 week ago
Errare humanum est :)
upvoted 1 times
...
...
...
EllenLiu
6 months, 2 weeks ago
Selected Answer: A
answer C cannot restrict ec2 from accessing s3 from other accounts. Only by providing access to specific buckets in IAM policy on EC2 are we able to achieve this.
upvoted 1 times
...
AMEJack
7 months, 1 week ago
Selected Answer: A
Option C will deny the other S3 buckets but will not Allow access to the specified Buckets, thus we should have Allow rules. Option A will allow the specified Buckets and implicit Deny the other buckets.
upvoted 2 times
ARV14
7 months, 1 week ago
You will keep updating the policy with new s3 buckets as user base grows? Operational overhead?
upvoted 1 times
...
...
youkarthik
7 months, 2 weeks ago
Selected Answer: A
A as per gen AIs
upvoted 1 times
...
Bwhizzy
8 months, 4 weeks ago
Selected Answer: C
Answer is C. Just specify only the company AWS account number, rather than listing all the Buckets
upvoted 3 times
...
XXXXXlNN
9 months ago
Vote A
upvoted 2 times
...
siheom
9 months, 1 week ago
VOTE A
upvoted 1 times
...
viejito
9 months, 3 weeks ago
la respuesta correcta es la A :Los buckets son servicios globales.( o sea no están en una VPC ni Subnet ), entonces no hace falta que estén en una subred publica o privada ; los Nat Gateway son para redes publicas o privadas .Entonces ahí descarta B,C y D .Cuando quieres conectar un recurso de Global Service se usa Endpoint Gateway por eso la respuesta es A .
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel