AWS Certified Advanced Networking – Specialty ANS-C00 – Question358

A company's application runs in a VPC and stores sensitive data in Amazon S3. The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances. The company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
Which changes should a network engineer make to the architecture to meet these requirements?

A.
Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.
B. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.
D. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.

Correct Answer: B