An IT company owns a web product in AWS that provides discount restaurant information to customers. It has used one S3 Bucket (my-bucket) to store restaurant data such as pictures, menus, etc. The product is deployed in VPC subnets. The company’s Cloud Architect decides to configure a VPC endpoint for this S3 bucket to enhance the performance. To be compliant with security rules, it is required that the new VPC endpoint is only used to communicate with this specific S3 Bucket. On the other hand, the S3 bucket allows the read/write operations to come from this VPC endpoint. Which two options should the Cloud Architect choose to meet the security needs?

Answer options:

A.Use a VPC Endpoint policy for Amazon S3 to restrict access to the S3 Bucket “my-bucket” so that the VPC Endpoint is only allowed to perform S3 actions on “my-bucket”.
B.Modify the security group of the EC2 instance to limit the outbound actions to the VPC Endpoint by denying the outgoing traffic to the destination S3 bucket “my-bucket”.
C.In the S3 bucket “my-bucket”, add an S3 bucket policy in which all actions are denied if the source IP address is not equal to the EC2 public IP (use “NotIpAddress” condition).
D.For the S3 bucket “my-bucket”, use an S3 bucket policy that denies all actions if the source VPC Endpoint is not equal to the endpoint ID that is created.
E.Create an S3 bucket policy in the S3 bucket “my-bucket” which denies all actions unless the source IP address is equal to the EC2 public IP (use “IpAddress” condition).

Correct Answer – A, D
In this case, two restrictions are required.
1, For the VPC endpoint, restricting access to the specific S3 Bucket “my-bucket”. A VPC Endpoint policy is needed.
{
"Statement": [
{
"Sid": "Access-to-my-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-bucket",
 "arn:aws:s3:::my-bucket/*"]
}
]
} 
2, For the S3 bucket “my-bucket”, restricting access to the new VPC Endpoint. S3 Bucket policy is required.
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
 "arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
In terms of the S3 bucket policy for VPC Endpoint, the aws:SourceIp condition can not be used as for either NotIpAddress or IpAddress, the condition fails to match any specified IP address or IP address range. Instead, the specific endpoint ID should be used for the S3 bucket policy.
 
Option A is CORRECT because the VPC Endpoint policy helps to restrict which entity can use the VPC Endpoint. It is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint.
Option B is incorrect because users cannot configure a "deny" for the outbound traffic in a security group.
Option C is incorrect because, for the S3 bucket policy, the NotIpAddress condition is always met for the VPC endpoint so that it cannot help restrict the traffic from the VPC endpoint.
Option D is CORRECT because, in the S3 bucket policy, a rule can be set up to deny all actions if the incoming traffic is not from the VPC Endpoint ID.Option E is incorrect: Same reason as option
C.