Q32 — AWS DVA-C02 Ch.3
Question 32 of 100 | ← Chapter 3
A company has multiple Amazon VPC endpoints in the same VPC. A developer wants to configure an Amazon S3 bucket policy so users can access the S3 bucket only through these VPC endpoints. Which solution meets these requirements?
- A. Create multiple S3 bucket policies—one per VPC endpoint ID—with the aws:SourceVpce value used in a StringNotEquals condition.
- B. Create a single S3 bucket policy with the aws:SourceVpc value and the VPC ID used in a StringNotEquals condition.
- C. Create a single S3 bucket policy with the aws:SourceVpce value and 'vpce*' used in a StringNotEquals condition.
- D. Create a single S3 bucket policy with multiple aws:sourceVpce values in a StringNotEquals condition—one for each VPC endpoint. ✓
Correct Answer: D. Create a single S3 bucket policy with multiple aws:sourceVpce values in a StringNotEquals condition—one for each VPC endpoint.
Explanation
Option D provides a solution applicable to all VPC endpoints. It specifies multiple aws:sourceVpce values in a single StringNotEquals condition, ensuring only traffic from those specific VPC endpoints can access the S3 bucket. Options A and C rely on a single StringNotEquals condition and thus cannot cover multiple distinct endpoints. Option B uses aws:SourceVpc, which restricts by VPC—not by individual VPC endpoints—and therefore fails to enforce endpoint-specific access control. Hence, Option D best fulfills the requirement. 【Lantern Certification provided by: swufelp1999】