Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
A company wants S3 access to be available only from private connectivity. They created an Interface VPC Endpoint for S3 (that provides private connectivity from their VPC to S3) and configured the application to use it from private subnets. The IAM role allows: - s3:GetObject on arn:aws:s3:::confidential-bucket/reports/* However, requests fail with AccessDenied. The S3 bucket policy includes an allow statement that permits GetObject only if: - aws:SourceVpce equals "vpce-0abc12345def6789" After redeploying the VPC endpoint, the application still uses the same IAM permissions but gets AccessDenied. What change is most likely to fix the issue?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Update the bucket policy to allow the new VPC endpoint ID (the vpce-* value) created by the redeployment.
The bucket policy is pinned to a specific endpoint ID using aws:SourceVpce. Redeploying or recreating the endpoint creates a new endpoint ID, so requests now present a different aws:SourceVpce value. Updating the bucket policy to match the new endpoint ID makes the condition true again while keeping access restricted to that specific private endpoint.
B
Distractor review
Add internet egress via a NAT Gateway so the requests can reach S3 over the public endpoint.
This would violate the private-only requirement and would not satisfy the aws:SourceVpce condition in the bucket policy, because public routing does not present the same SourceVpce context to S3.
C
Distractor review
Remove the aws:SourceVpce condition from the bucket policy to ensure the IAM permissions are sufficient.
Removing SourceVpce would broaden access to requests originating outside the intended private connectivity path, including from the public internet, which defeats the stated security requirement.
D
Distractor review
Update the IAM role to add s3:PutObject permissions so the requests can be authorized.
The requests are failing for GetObject authorization (the action in the bucket policy condition). Adding PutObject permissions does not change the evaluation for s3:GetObject against the bucket policy.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
FAQ
Questions learners often ask
What does this SAA-C03 question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Update the bucket policy to allow the new VPC endpoint ID (the vpce-* value) created by the redeployment. — With bucket policies that include aws:SourceVpce conditions, S3 allows the request only when the request originates through the specified VPC endpoint ID. When the VPC endpoint is redeployed, the new endpoint instance typically gets a different vpce-* ID. The IAM role may still allow s3:GetObject, but the bucket policy condition becomes false, resulting in AccessDenied. Updating the bucket policy to reference the new VPC endpoint ID restores access while preserving private-only enforcement. B breaks the private-only design and still would not satisfy the SourceVpce condition. C removes the control used to enforce private connectivity. D changes an unrelated S3 action (PutObject) and does not address the bucket policy condition for GetObject.
What should I do if I get this SAA-C03 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.