SCS-C02 · Question #246
SCS-C02 Question #246: Real Exam Question with Answer & Explanation
The correct answer is D: Verify that the VPC endpoint policy is allowing access to Amazon S3.. Option D is correct because gateway VPC endpoints have their own resource-based policy - the endpoint policy - which acts as a third access control layer independent of IAM permissions and the S3 bucket policy. Even with correct IAM and bucket policies, a restrictive or misconfig
Question
A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway. A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance's security group and the subnet's network ACLs allow the communication. What else should the security engineer check to determine why the request from the EC2 instance is failing?
Options
- AVerify that the EC2 instance's security group does not have an implicit inbound deny rule for
- BVerify that the VPC endpoint's security group does not have an explicit inbound deny rule for the
- CVerify that the internet gateway is allowing traffic to Amazon S3.
- DVerify that the VPC endpoint policy is allowing access to Amazon S3.
Explanation
Option D is correct because gateway VPC endpoints have their own resource-based policy - the endpoint policy - which acts as a third access control layer independent of IAM permissions and the S3 bucket policy. Even with correct IAM and bucket policies, a restrictive or misconfigured endpoint policy can block all traffic flowing through the endpoint, and this is the one layer the security engineer hasn't verified yet.
Why the distractors are wrong:
- A is wrong because security groups are stateful and the question already confirms they allow the communication; also, "implicit inbound deny" rules don't apply to outbound EC2→S3 traffic flows in this context.
- B is wrong because gateway VPC endpoints (used for S3 and DynamoDB) do not have security groups - only interface endpoints (PrivateLink) have associated security groups.
- C is wrong because the subnet's route table explicitly directs S3 traffic through the gateway endpoint, bypassing the internet gateway entirely - so the internet gateway is irrelevant for this traffic path.
Memory tip: Think of S3 access via a VPC endpoint as a three-key lock: IAM policy, endpoint policy, and S3 bucket policy - all three must grant access. The endpoint policy is the easiest to overlook because it defaults to full access but can be silently tightened by an admin.
Topics
Community Discussion
No community discussion yet for this question.