A manufacturing firm is storing all project documents in various S3 buckets. Application servers deployed within a VPC need to access these S3 buckets to fetch the latest files. To limit servers with Internet access, the client has created Amazon S3 endpoint to have secure access to the S3 bucket. The client needs to further enhance security by having control over individual Servers accessing only authorized S3 buckets (using role-based access on a bucket policy) and should be denied from accessing all other S3 buckets. Which of the following can be used to meet this requirement?

Answer options:

A.Create a VPC endpoint policy that restricts access to specific S3 buckets only.
B.Create an S3 bucket policy with aws:SourceIp condition matching instance IP address to control access from each server to S3 bucket.
C.Create an outbound security group rule which specifies a prefix list for the S3 bucket from each server.
D.Create an outbound NACL that specifies a prefix list for the S3 bucket from each server.

Correct Answer – A
A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when creating or modifying the endpoint. If you do not attach a policy when you create an endpoint, we attach a default policy for you that allows full access to the service. If a service does not support endpoint policies, the endpoint allows full access to the service. An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.
Option A is correct as the VPC endpoint policy can be used to limit all resources in a subnet to access a particular S3 bucket alone.
Refer link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html#vpc-endpoint-policies and https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html#vpc-endpoints-policies-s3
Option B is incorrect as For Gateway VPC endpoint, S3 bucket policy cannot be configured for VPC endpoint, as a source IP address can be the same.
Option C is incorrect because access to specific S3 buckets cannot be handled by an "outbound security group rule."
Option D is incorrect as for Gateway VPC endpoint, the S3 prefix list cannot be specified with NACL.
For more information on controlling access to Gateway Endpoints, refer to the following URL
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html