Which combination of steps should a solutions architect take to accomplish this?
(Choose two.)
Configure a VPC gateway endpoint for Amazon S3 within the VPC.
Create a bucket policy to make the objects in the S3 bucket public.
Create a bucket policy that limits access to only the application tier running in the VPC.
Create an IAM user with an S3 access policy and copy the IAM credentials to the EC2 instance.
Create a NAT instance and have the EC2 instances use the NAT instance to access the S3 bucket.
Explanations:
Configuring a VPC gateway endpoint for Amazon S3 allows EC2 instances within the VPC to access the S3 bucket without traversing the internet. This ensures secure, private access to the S3 bucket from the application tier.
Making the objects in the S3 bucket public would expose sensitive user information to anyone on the internet, which contradicts the requirement for secure access.
Creating a bucket policy that limits access to only the application tier running in the VPC ensures that only authorized instances can access the sensitive data in the S3 bucket, enhancing security.
Creating an IAM user with S3 access policy and copying IAM credentials to the EC2 instance is not a best practice. It can lead to security risks if the credentials are compromised. Instead, roles should be used to provide temporary access.
A NAT instance is not necessary for accessing S3 from a VPC if a VPC gateway endpoint is configured. Using a NAT instance also introduces complexity and potential security risks without providing any added benefit for S3 access.