Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › An S3 bucket policy grants `s3:GetObject` only w…
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC endpoint condition. What does this restriction accomplish?
APrevents the AWS root account from ever reading the bucket
BAllows reads only via the configured VPC endpoint, blocking access from the public internet or other VPCs
CReduces the storage cost of the bucket by 50%
DForces all reads to occur on Sundays only
Answer & Solution
Correct answer: B. Allows reads only via the configured VPC endpoint, blocking access from the public internet or other VPCs
Conditioning on `aws:SourceVpce` confines reads to traffic flowing through that VPC endpoint — useful for keeping data on the AWS private network. The other options misstate IAM or pricing.
Related questions
Which approach correctly handles environment-specific configuration (DB endpoints, featureAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-A Lambda function reads database credentials at cold start from AWS Secrets Manager and caAn API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w