nerdexam
Amazon

DVA-C02 · Question #167

A company has multiple Amazon VPC endpoints in the same VPC. A developer needs to configure an Amazon S3 bucket policy so users can access an S3 bucket only by using these VPC endpoints. Which solutio

The correct answer is D. Create a single S3 bucket policy that has multiple aws:sourceVpce value in the StringNotEquals. Option D is correct because when a company has multiple VPC endpoints, the bucket policy must list all endpoint IDs using aws:SourceVpce with multiple values inside a StringNotEquals condition in a Deny statement - this denies any request that does not originate from one of those

Submitted by lars.no· Mar 5, 2026Security

Question

A company has multiple Amazon VPC endpoints in the same VPC. A developer needs to configure an Amazon S3 bucket policy so users can access an S3 bucket only by using these VPC endpoints. Which solution will meet these requirements?

Options

  • ACreate multiple S3 bucket polices by using each VPC endpoint ID that have the aws:SourceVpce
  • BCreate a single S3 bucket policy that has the aws:SourceVpc value and in the StringNotEquals
  • CCreate a single S3 bucket policy that has the aws:SourceVpce value and in the StringNotEquals
  • DCreate a single S3 bucket policy that has multiple aws:sourceVpce value in the StringNotEquals

How the community answered

(46 responses)
  • A
    11% (5)
  • B
    9% (4)
  • C
    2% (1)
  • D
    78% (36)

Explanation

Option D is correct because when a company has multiple VPC endpoints, the bucket policy must list all endpoint IDs using aws:SourceVpce with multiple values inside a StringNotEquals condition in a Deny statement - this denies any request that does not originate from one of those listed endpoints, enforcing endpoint-only access.

Why the distractors fail:

  • A is wrong because an S3 bucket can only have one bucket policy; you cannot create multiple separate policies per endpoint.
  • B is wrong because aws:SourceVpc matches at the VPC level, which would allow access from any endpoint in that VPC - not just the specific designated endpoints - so it lacks the required granularity.
  • C is wrong because it specifies only a single aws:SourceVpce value; with multiple VPC endpoints, a single value would block legitimate access from the other endpoints.

Memory tip: Think "Deny + StringNotEquals = allow only these." The StringNotEquals condition in a Deny statement reads as "deny the request if the endpoint ID does NOT match any of these" - and since there are multiple endpoints, you need multiple values in that same condition, making D the only complete solution.

Topics

#S3 bucket policies#VPC endpoints#IAM conditions#Network security

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice