Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 176 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 176
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company has a batch-processing system that uses Amazon S3, Amazon EC2, and AWS Key Management Service (AWS KMS). The system uses two AWS accounts: Account A and Account B.

Account A hosts an S3 bucket that stores the objects that will be processed. The S3 bucket also stores the results of the processing. All the S3 bucket objects are encrypted by a KMS key that is managed in Account A.

Account B hosts a VPC that has a fleet of EC2 instances that access the S3 bucket in Account A by using statements in the bucket policy. The VPC was created with DNS hostnames enabled and DNS resolution enabled.

A security engineer needs to update the design of the system without changing any of the system's code. No AWS API calls from the batch-processing EC2 instances can travel over the internet.

Which combination of steps will meet these requirements? (Choose two.)

  • A. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.
  • B. In the Account B VPC, create an interface VPC endpoint for Amazon S3. For the interface VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket.
  • C. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned on for the endpoint.
  • D. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned off for the endpoint.
  • E. In the Account B VPC, verify that the S3 bucket policy allows the s3:PutObjectAcl action for cross-account use. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, and s3:PutObject actions for the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by mikelord at Oct. 3, 2024, 1:38 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
komik_101
2 weeks, 1 day ago
Selected Answer: AC
I will going to AC, when I look at the question , I saw "fleet of EC2" this means Account B have many EC2. Go to link. you will see many topology, and you will understand what I mean. https://aws.amazon.com/tr/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
upvoted 1 times
...
3e88bd8
3 weeks ago
AC: Amazon S3 uses a gateway VPC endpoint rather than an interface VPC endpoint for access from a VPC.
upvoted 1 times
...
div05jkjl
3 weeks, 6 days ago
BC. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
upvoted 1 times
...
VPNalumni
1 month ago
AC . B is wrong no interface endpoint for s3
upvoted 1 times
...
mikelord
1 month, 1 week ago
BC for me as well.
upvoted 1 times
mikelord
1 month, 1 week ago
Actually changed the answer to AC. Amazon S3 uses a gateway VPC endpoint rather than an interface VPC endpoint for access from a VPC. Gateway endpoints are specifically designed for services like S3 and DynamoDB, allowing efficient, private access.
upvoted 3 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel