Examice

Exam SAP-C02 All QuestionsBrowse all questions from this exam

Question 526

A company is collecting data from a large set of IoT devices. The data is stored in an Amazon S3 data lake. Data scientists perform analytics on Amazon EC2 instances that run in two public subnets in a VPC in a separate AWS account.

The data scientists need access to the data lake from the EC2 instances. The EC2 instances already have an assigned role with permissions to access Amazon S3.

According to company policies, only authorized networks are allowed to have access to the IoT data.

Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)

Create a gateway VPC endpoint for Amazon S3 in the data scientists’ VPC.

Create an S3 access point in the data scientists' AWS account for the data lake.

Update the EC2 instance role. Add a policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.

Update the VPC route table to route S3 traffic to an S3 access point.

Add an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.

Correct Answer: A, E

To ensure secure access to the Amazon S3 data lake from EC2 instances without traversing the public internet, a gateway VPC endpoint for Amazon S3 should be created. This enables direct, secure connectivity between the EC2 instances and S3, adhering to company policies that only authorized networks can access IoT data. Additionally, an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN must be implemented. This enforces access control based on specific conditions, ensuring that only authorized networks have access to the data.

Discussion

AlagongOptions: AE

A. This step ensures that the traffic between the EC2 instances and the S3 data lake does not traverse the public internet, thereby meeting security requirements and reducing latency. E. This step ensures that the access to the data lake is restricted according to company policies. It leverages an S3 bucket policy to enforce access control based on specific conditions, thereby providing an additional layer of security.

gfhbox0083Options: AE

A, E for sure. Only authorized networks are allowed to have access to the IoT data.

kupo777

B S3 access points allow fine-grained control of access policies and network settings for specific S3 buckets. E s3:DataAccessPointArn must be used to set permissions on the S3 bucket side for going through the access point. role settings in C do not have settings to determine the access point on the bucket side.

vip2Options: AE

A, E are correct

c22ddd8Options: BE

Need access from different AWS account with restrictions. So it is BE

Alagong

A. This step ensures that the traffic between the EC2 instances and the S3 data lake does not traverse the public internet, thereby meeting security requirements and reducing latency. C. This step ensures that the access to the data lake is restricted according to company policies. It leverages an S3 bucket policy to enforce access control based on specific conditions, thereby providing an additional layer of security.