nerdexam
ExamsSAP-C02Questions#747
AmazonAmazon

SAP-C02 · Question #747

SAP-C02 Question #747: Real Exam Question with Answer & Explanation

The correct answer is A: Create a gateway VPC endpoint for Amazon S3 in the data scientists' VPC.. To restrict S3 data lake access from EC2 instances to only authorized networks, create a gateway VPC endpoint for S3 and enforce its use with a bucket policy condition.

Submitted by andres_qro· Mar 6, 2026Design Solutions for Organizational Complexity

Question

A company is collecting data from a large set of IoT devices. The data is stored in an Amazon S3 data lake. Data scientists perform analytics on Amazon EC2 instances that run in two public subnets in a VPC in a separate AWS account. The data scientists need access to the data lake from the EC2 instances. The EC2 instances already have an assigned role with permissions to access Amazon S3. According to company policies, only authorized networks are allowed to have access to the IoT data. Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)

Options

  • ACreate a gateway VPC endpoint for Amazon S3 in the data scientists' VPC.
  • BCreate an S3 access point in the data scientists' AWS account for the data lake.
  • CUpdate the EC2 instance role. Add a policy with a condition that allows the s3:GetObject action
  • DUpdate the VPC route table to route S3 traffic to an S3 access point.
  • EAdd an S3 bucket policy with a condition that allows the s3:GetObject action when the value for

Explanation

To restrict S3 data lake access from EC2 instances to only authorized networks, create a gateway VPC endpoint for S3 and enforce its use with a bucket policy condition.

Common mistakes.

  • B. S3 Access Points streamline access to buckets but do not inherently provide private network connectivity or satisfy the 'authorized networks' requirement without a VPC endpoint.
  • C. The problem states the EC2 instance role already has permissions to access S3; therefore, updating the role is not the step required to restrict network access.
  • D. When a gateway VPC endpoint for S3 is created, the relevant VPC route tables are automatically updated; manually routing to an 'S3 access point' in the route table is not the correct mechanism for private S3 access via an endpoint.

Concept tested. Private S3 access from VPC with Gateway Endpoints and Bucket Policies

Reference. https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions