Which combination of steps should the solutions architect take to implement this solution?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts.The company’s information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.

Which combination of steps should the solutions architect take to implement this solution?

(Choose two.)

Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point

Create an interface endpoint for Amazon S3 in each application’s VPC. Configure the endpoint policy to allow access to an S3 access point. Create a VPC gateway attachment for the S3 endpoint

Create a gateway endpoint for Amazon S3 in each application’s VPC. Configure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point.

Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.

Create a gateway endpoint for Amazon S3 in the data lake’s VPC. Attach an endpoint policy to allow access to the S3 bucket. Specify the route table that is used to access the bucket

Explanations:

Creating an S3 access point for each application ensures that access can be controlled and limited to specific VPCs. Updating the bucket policy to require access from the access point enforces security compliance with the requirement that no public internet access is allowed.

An interface endpoint for S3 is not necessary because S3 supports gateway endpoints, which provide a direct route from the VPC to S3 without needing public internet access. Additionally, endpoint policies apply to gateway endpoints, not interface endpoints for S3.

Creating a gateway endpoint for Amazon S3 in each application’s VPC allows access to S3 without traversing the public internet. Configuring the endpoint policy to allow access to the S3 access point ensures that applications can only access the S3 resources they need.

While creating access points in each AWS account is a feasible approach, it complicates management and may violate the principle of least privilege if not implemented carefully. Each access point should be tied to the single owning account, not duplicated across accounts unnecessarily.

Creating a gateway endpoint for the data lake’s VPC does not meet the requirement of allowing access from multiple VPCs or accounts. Furthermore, an endpoint policy directly allowing access to the S3 bucket does not address the need for controlled access through specific access points tied to VPCs.

2025-10-20

1 Comment

  1. Emily
    Author

    I design that the answer is:
    Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 4 =