You have created a VPC Endpoint for your private subnet to S3. The default endpoint policy is in place. You are trying to access a bucket, but you’re getting an access denied error. What must be done?

Answer options:

A.Add the VPC endpoint to the Endpoint policy to allow access to the S3 bucket.
B.Add the VPC to the S3 bucket policy.
C.Add the VPC Endpoint to the S3 bucket policy.
D.Add the VPC endpoint to the Bucket ACL.

Answer – C
Option A is incorrect since the default endpoint policy will already allow complete S3 access.
Option B is incorrect since the right approach is to add the VPC Endpoint to the S3 bucket policy.
Option D is incorrect since you are not supposed to add this to the Bucket ACL.
You need to ensure that the S3 bucket allows access to the VPC Endpoint. Below is a sample from the AWS Documentation.
Restricting Access to a Specific VPC Endpoint
The following is an example of an S3 bucket policy that restricts access to a specific bucket, examplebucket, only from the VPC endpoint with the ID vpce-1a2b3c4d. The policy denies all access to the bucket if the specified endpoint is not being used. The aws:sourceVpce condition is used to specify the endpoint. The aws:sourceVpce condition does not require an ARN for the VPC endpoint resource, only the VPC endpoint ID. For more information about using conditions in a policy, see Specifying Conditions in a Policy.
{
 "Version": "2012-10-17",
 "Id": "Policy1415115909152",
 "Statement": [
 {
 "Sid": "Access-to-specific-VPCE-only",
 "Principal": "*",
 "Action": "s3:*",
 "Effect": "Deny",
 "Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
 "Condition": {
 "StringNotEquals": {
 "aws:sourceVpce": "vpce-1a2b3c4d"
 }
 }
 }
 ]
}
For more information on VPC endpoints and S3 bucket policies, please refer to the below URL
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html