Which solution will meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company deploys an application on AWS.The application recently uploaded confidential data to an Amazon S3 bucket outside the company.The company’s security team wants to prevent this scenario from occurring in the future.The company owns 100 different S3 buckets in various AWS accounts and uses AWS Organizations to manage the accounts.The security team must implement a solution that allows individual teams to create new S3 buckets.The solution must allow applications that are deployed on AWS to access only the S3 buckets that are deployed in the company’s organization.

Which solution will meet these requirements?

Create an S3 access point in each private subnet. Route all S3 requests to this access point. Create an S3 access point policy that restricts access to specific S3 buckets. Update all S3 access point policies when new S3 buckets are created in the organization.

Create an S3 gateway endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 gateway endpoint policy that restricts access to specific S3 buckets. Update all S3 gateway endpoint policies when new S3 buckets are created in the organization,

Create an S3 interface endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 interface endpoint policy that restricts access to specific S3 buckets. Update all S3 interface endpoint policies when new S3 buckets are created in the organization.

Create a Gateway Load Balancer endpoint in each private subnet. Route all S3 requests to this endpoint. Create a Gateway Load Balancer endpoint policy that restricts access to specific S3 buckets. Update all Gateway Load Balancer endpoint policies when new S3 buckets are created in the organization.

Explanations:

S3 access points are used for managing access to shared datasets in S3, but they do not inherently restrict access to specific buckets across accounts. Additionally, manually updating access point policies for new buckets can be error-prone and not scalable for managing multiple accounts.

Creating an S3 gateway endpoint allows private connectivity to S3 from the VPC, and with a gateway endpoint policy, access can be restricted to specific S3 buckets. This setup supports the company’s need to control access and is easier to manage across multiple accounts with AWS Organizations.

S3 interface endpoints are designed for connecting to S3 over a private link, but they do not serve the purpose of restricting access to specific S3 buckets effectively for an entire organization. Additionally, managing interface endpoints across multiple accounts is not ideal for this use case.

A Gateway Load Balancer endpoint is not applicable for routing S3 requests as it is designed for handling traffic for virtual appliances and not for S3. This option does not address the requirement of managing access to S3 buckets securely.

2025-10-02

1 Comment

  1. Dylan
    Author

    To the best of my knowledge, the answer is:
    Create an S3 gateway endpoint in each private subnet. Route all S3 requests to this endpoint. Create an S3 gateway endpoint policy that restricts access to specific S3 buckets. Update all S3 gateway endpoint policies when new S3 buckets are created in the organization,

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 12 =