Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 92 discussion

A,D - altho' I stand corrected: D means copying credentials which introduces a security risk... so that means A,C

A removes the need for a NAT gateway and keeps the connection private, C restricts access to the bucket.

A: VPC S3 gateway for direct connection (no public internet) to access S3 C: Bucket policy to secure access and only allow the VPC application tier to access it B: Opens up to public D: Not secure to copy credentials E: NAT instance (obsolete now) is not useful for limiting resource access, it's for subnet connections

no one mentioned the translation issue, "limit access to sth" sounds like limit this but allow others, confusing for non-English speaker.

) Configure a VPC gateway endpoint for Amazon S3 within the VPC. C) Create a bucket policy that limits access to only the application tier running in the VPC. The key requirements are secure access to the S3 bucket from EC2 instances in the VPC. A VPC endpoint for S3 allows connectivity from the VPC to S3 without needing internet access. The bucket policy should limit access only to the VPC by whitelisting the VPC endpoint.

These are correct because "A" and "C" ensure secure access and secure connectivity between the S3 and the EC2 instances

The key requirements are to provide secure access to the S3 bucket only from the application tier EC2 instances inside the VPC. A VPC gateway endpoint allows private access to S3 from within the VPC without needing internet access. This keeps the traffic secure within the AWS network. The bucket policy should limit access to only the application tier, not make the objects public. This restricts access to the sensitive data to only the authorized application tier.

The correct options are: A) Configure a VPC gateway endpoint for Amazon S3 within the VPC. C) Create a bucket policy that limits access to only the application tier running in the VPC. The key requirements are secure access to the S3 bucket from EC2 instances in the VPC. A VPC endpoint for S3 allows connectivity from the VPC to S3 without needing internet access. The bucket policy should limit access only to the VPC by whitelisting the VPC endpoint.

ac is the correct answer, as per my knowledge people are confused with IAM user we can use IAM role for secure access.

AC is the right answer

A. This eliminates the need for the traffic to go over the internet, providing an added layer of security. B. It is important to restrict access to the bucket and its objects only to authorized entities. C. This helps maintain the confidentiality of the sensitive user information by limiting access to authorized resources. D. In this case, since the EC2 instances are accessing the S3 bucket from within the VPC, using IAM user credentials is unnecessary and can introduce additional security risks. E. a NAT instance to access the S3 bucket adds unnecessary complexity and overhead. In summary, the recommended steps to provide secure access to the S3 from the application tier running on EC2 inside a VPC are to configure a VPC gateway endpoint for S3 within the VPC (option A) and create a bucket policy that limits access to only the application tier running in the VPC (option C).

A & C the correct solutions.

A and C

A and C

The key part that many miss out on is 'Combination' The other answers are not wrong but A works with C and not with the rest as they need an internet connection.

AC is correct

https://aws.amazon.com/premiumsupport/knowledge-center/s3-private-connection-noauthentication/