ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 227 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 227
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint.
The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet's network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?

  • A. Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.
  • B. Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.
  • C. Verify that the internet gateway is allowing traffic to Amazon S3.
  • D. Verify that the VPC endpoint policy is allowing access to Amazon S3.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by koo_kai at Nov. 3, 2024, 2:03 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
FlyingHawk
1 day, 14 hours ago
Selected Answer: D
Security Group only has allowed rules. A and B are incorrect. gateway endpoint does not use the internet, so C is incorrect. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
upvoted 1 times
...
Pmktechno
1 month, 1 week ago
Selected Answer: D
Even if the IAM instance profile, S3 bucket policy, security group, and network ACLs are correctly configured, the VPC endpoint policy must also allow access to the S3 bucket. If the endpoint policy is too restrictive, it could prevent the EC2 instance from accessing S3, causing the request to fail.
upvoted 1 times
...
mzeynalli
2 months, 3 weeks ago
Selected Answer: D
VPC endpoint policy must be configured to allow access to the S3 bucket explicitly.
upvoted 1 times
...
dabber
2 months, 3 weeks ago
Selected Answer: D
SG's don't have deny rules...
upvoted 1 times
...
mzeynalli
2 months, 3 weeks ago
Selected Answer: D
NOT B!!! B. VPC endpoint’s security group: Gateway VPC endpoints do not have security groups. Security groups apply to certain AWS resources (like EC2 instances and interface endpoints), but not to gateway endpoints. Therefore, option D is the most appropriate answer, as the VPC endpoint policy must be configured to allow access to the S3 bucket explicitly.
upvoted 1 times
...
koo_kai
3 months ago
Selected Answer: D
Gateway VPC endpoint
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago