Q156. An IT company owns a web product in AWS that provides discount restaurant information to customers. It has used one S3 Bucket (my_bucket) to store restaurant data such as pictures menus etc. The product is deployed in VPC subnets. The company's Cloud Architect decides to configure a VPC endpoint for this S3 bucket so that the performance will be enhanced. To be compliance to security rules it is required that the new VPC endpoint is only used to communicate with this specific S3 Bucket and on the other hand the S3 bucket only allows the read/write operations coming from this VPC endpoint.
Which two options should the Cloud Architect choose to meet the security needs?
A.Use a VPC Endpoint policy for Amazon S3 to restrict access to the S3 Bucket "my_bucket" so that the VPC Endpoint is only allowed to perform S3 actions on "my_bucket". B.Modify the security group of the EC2 instance to limit the outbound actions to the VPC Endpoint if the outgoing traffic destination is the S3 bucket "my_bucket'". C.In the S3 bucket "my_bucket" add a S3 bucket policy in which all actions are denied if the source IP address is not equal to the EC2 public IP (use "NotIpAddress" condition). D.For the S3 bucket "my_bucket" use a S3 bucket policy that denies all actions if the source VPC Endpoint is no equal to the endpoint ID that is created.s E.Create a S3 bucket policy in the S3 bucket "my_bucket" which denies all actions unless the source IP address is equal to the EC2 public IP (use "IpAddress" condition).正确答案AD
