Your organization has an existing VPC with an AWS S3 VPC endpoint created and serving certain S3 buckets. You were asked to create a new S3 bucket and reuse the existing VPC endpoint to route requests to the new S3 bucket. However, after creating a new S3 bucket and sending requests from an EC2 instance via the VPC endpoint, you found the requests are failing with the “Access Denied” error. What could be the issue? (select 2 options)

Answer options:

A.VPC endpoint contains a policy, currently restricted to certain S3 buckets, and does not contain a new S3 bucket.
B.AWS IAM role/user does not have access to the new S3 bucket.
C.AWS default DENY policy restricts access to IAM user/role who already has access to the S3 bucket
D.You need to add a new S3 bucket hostname as destination and VPC endpoint ID as target in route table in order to route requests to the new S3 bucket.

Answer: A, B
Option A is correct. The VPC endpoint has a policy which by default allows all actions on all S3 buckets. We can restrict access to certain S3 buckets and certain actions on this policy. In such cases, for accessing any new buckets or for any new actions, the VPC endpoint policy needs to be modified accordingly.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints-access.html#vpc- endpoint-policies
Option B is correct. The AWS IAM role/user used to access the S3 bucket needs to have access granted via IAM policy before accessing. So if the IAM role/user is not an administrator or has full S3 access, a newly created S3 bucket must be added to the IAM policy.
https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html
Option C is incorrect. By default, there is no resource policy on the S3 bucket. If we would like to make the bucket private, we can add a new resource policy with “Deny.” Please see the documentation for more information.
https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to- sensitive-amazon-s3-buckets/
Option D is incorrect, You can have multiple endpoint routes to different services in a route table, and you can have multiple endpoint routes to the same service in different route tables. Still, you cannot have multiple endpoints to the same service in a single route table. For example, if you have two endpoints to Amazon S3 in your VPC, you cannot use the same route table for both endpoints.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations