Which combination of steps should the solutions architect take to implement this solution?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts.The company’s information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.

Which combination of steps should the solutions architect take to implement this solution?

(Choose two.)

Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.

Create an interface endpoint for Amazon S3 in each application’s VPC. Configure the endpoint policy to allow access to an S3 access point. Create a VPC gateway attachment for the S3 endpoint.

Create a gateway endpoint for Amazon S3 in each application’s VPConfigure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point.

Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.

Create a gateway endpoint for Amazon S3 in the data lake’s VPC. Attach an endpoint policy to allow access to the S3 bucket. Specify the route table that is used to access the bucket.

Explanations:

Creating an S3 access point for each application in the bucket owner’s account and restricting it to the application’s VPC meets the requirement to control access by VPC, aligns with the principle of least privilege, and requires access from an access point in the bucket policy.

Interface endpoints are used for private connections to AWS services, but a VPC gateway attachment does not apply to S3. Also, this option does not limit access specifically to S3 access points or ensure minimum necessary permissions.

Creating a gateway endpoint in each application’s VPC with an endpoint policy to allow access to specific S3 access points provides a private connection without using the internet, and allows policy enforcement for minimal permissions.

Creating access points in each AWS account is not necessary, as access points should be created in the S3 bucket owner’s account for centralized control and minimal permission configuration.

A gateway endpoint in the data lake’s VPC does not restrict access by application VPCs and does not ensure minimum permissions per application, which are both requirements.

2025-10-20

1 Comment

  1. Timothy
    Author

    As far as I’m aware, the answer is:
    Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.

Leave a Reply to Timothy Cancel reply

Your email address will not be published. Required fields are marked *

16 − ten =