A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint. The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.
A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance’s security group and the subnet’s network ACLs allow the communication.
What else should the security engineer check to determine why the request from the EC2 instance is failing?

A. Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3.

B. Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance.

C. Verify that the internet gateway is allowing traffic to Amazon S3.

D. Verify that the VPC endpoint policy is allowing access to Amazon S3.








 

Suggested Answer: D

Community Answer: D




This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate


Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.