You are a machine learning specialist at a government agency that processes citizen applications (online, mail, and in-person) for government documents such as driver`s licenses and passports.Your machine learning team is responsible for using machine learning technology to determine fraudulent activity in the document application processes. You are preparing a subset of your agency data for model training. In order to use your data in your SageMaker notebook, you have stored your data in S3. By definition, your data contains Personally Identifiable Information (PII). In order to maintain the required level of security, your data must be accessible only from within your VPC and cannot traverse the public internet. Which option best meets your security requirements?

Answer options:

A.Use a VPC endpoint and leverage a security group to restrict access to the VPC endpoint.
B.Use a VPC endpoint and leverage a Network Access Control List (NACL) to only allow traffic between the VPC endpoint and S3.
C.Use a VPC endpoint and leverage a bucket access policy to allow access to the S3 bucket from the VPC endpoint.
D.Use a VPC endpoint and leverage a bucket access policy to deny access to the S3 bucket from resources other than the VPC endpoint and the VPC.

Correct Answer: D
Option A is incorrect. This option doesn’t meet your requirements because it doesn’t address access to the S3 bucket or the restriction of not traversing the internet.
Option B is incorrect. This option also doesn’t meet your requirements because it doesn’t address the restriction of not traversing the internet.
Option C is incorrect. We need to restrict access using a deny statement if our source (either the VPC endpoint or the VPC) is not equal to our VPC Endpoint or VPC. So we need to use a deny statement in our policy, not an allow statement. This option describes using an allow statement.
Option D is correct. You can control which VPCs or VPC endpoints have access to your buckets by using S3 bucket policies with deny statements. Also, when you use a VPC Endpoint, your traffic doesn`t traverse the internet.
References:
Please see the Amazon Virtual Private Cloud AWS Privatelink documentation titled Endpoints for Amazon S3 (https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#vpc-endpoints-s3-bucket-policies),
The Amazon Simple Storage Service user guide titled Controlling access from VPC endpoints with bucket policies (https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html)