DVA-C02 · Question #167
A company has multiple Amazon VPC endpoints in the same VPC. A developer needs to configure an Amazon S3 bucket policy so users can access an S3 bucket only by using these VPC endpoints. Which solutio
The correct answer is D. Create a single S3 bucket policy that has multiple aws:sourceVpce value in the StringNotEquals. Option D is correct because when a company has multiple VPC endpoints, the bucket policy must list all endpoint IDs using aws:SourceVpce with multiple values inside a StringNotEquals condition in a Deny statement - this denies any request that does not originate from one of those
Question
A company has multiple Amazon VPC endpoints in the same VPC. A developer needs to configure an Amazon S3 bucket policy so users can access an S3 bucket only by using these VPC endpoints. Which solution will meet these requirements?
Options
- ACreate multiple S3 bucket polices by using each VPC endpoint ID that have the aws:SourceVpce
- BCreate a single S3 bucket policy that has the aws:SourceVpc value and in the StringNotEquals
- CCreate a single S3 bucket policy that has the aws:SourceVpce value and in the StringNotEquals
- DCreate a single S3 bucket policy that has multiple aws:sourceVpce value in the StringNotEquals
How the community answered
(46 responses)- A11% (5)
- B9% (4)
- C2% (1)
- D78% (36)
Explanation
Option D is correct because when a company has multiple VPC endpoints, the bucket policy must list all endpoint IDs using aws:SourceVpce with multiple values inside a StringNotEquals condition in a Deny statement - this denies any request that does not originate from one of those listed endpoints, enforcing endpoint-only access.
Why the distractors fail:
- A is wrong because an S3 bucket can only have one bucket policy; you cannot create multiple separate policies per endpoint.
- B is wrong because
aws:SourceVpcmatches at the VPC level, which would allow access from any endpoint in that VPC - not just the specific designated endpoints - so it lacks the required granularity. - C is wrong because it specifies only a single
aws:SourceVpcevalue; with multiple VPC endpoints, a single value would block legitimate access from the other endpoints.
Memory tip: Think "Deny + StringNotEquals = allow only these." The StringNotEquals condition in a Deny statement reads as "deny the request if the endpoint ID does NOT match any of these" - and since there are multiple endpoints, you need multiple values in that same condition, making D the only complete solution.
Topics
Community Discussion
No community discussion yet for this question.