What else should the security engineer check to determine why the request from the EC2 instance is failing?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company has configured a gateway VPC endpoint in a VPC.Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint.The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint.The VPC provides internet access through an internet gateway.A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails.The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects.The security engineer also verifies that the S3 bucket policy is allowing access properly.Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?

Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.

Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.

Verify that the internet gateway is allowing traffic to Amazon S3.

Verify that the VPC endpoint policy is allowing access to Amazon S3.

Explanations:

Security groups in AWS do not have implicit inbound deny rules; instead, they allow all outbound traffic by default unless specified otherwise. Therefore, this option does not apply to the situation.

The VPC endpoint does not use security groups for controlling access to S3. Instead, it is governed by the VPC endpoint policy and the IAM roles. An explicit deny rule in a security group for a VPC endpoint does not exist in the same manner as for EC2 instances.

The internet gateway is not involved in traffic routed through a gateway VPC endpoint to S3, as this traffic remains within the AWS network. The routing to S3 through the VPC endpoint does not require an internet gateway, making this option irrelevant.

The VPC endpoint policy governs access to S3 through the endpoint. If the endpoint policy does not allow the necessary actions for the EC2 instance’s IAM role, the request to access S3 will fail. Verifying the endpoint policy is crucial to resolving access issues.

2025-10-07

1 Comment

  1. Christopher
    Author

    I categorize that the answer is:
    Verify that the VPC endpoint policy is allowing access to Amazon S3.

Leave a Reply to Christopher Cancel reply

Your email address will not be published. Required fields are marked *

fourteen + 8 =