🔥 3-day streak
AWS Certified CloudOps Engineer - Associate150 / 159
Question 150 of 159

A CloudOps engineer created a Gateway VPC endpoint for Amazon S3 so that EC2 instances in private subnets can reach S3 without traversing a NAT gateway. Route tables and security groups are correctly configured, and instances can list and download from any S3 bucket. However, the security team requires that traffic through this endpoint be allowed to reach ONLY two specific corporate buckets and be denied access to all other buckets, including buckets in other AWS accounts. What is the MOST appropriate way to enforce this restriction?

Reviewed for accuracy · Report an issueNext question