A company has attached the above bucket policy to an S3 bucket. The bucket is accessed by an application running on an EC2 instance in the same AWS account. The EC2 instance is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678) to access the bucket. The application is failing to get objects from the bucket. What is the most likely cause?
Exhibit
Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-12345678"
}
}
},
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
```Trap 1: The application is not using the VPC endpoint
The Allow statement requires the VPC endpoint, but the Deny statement does not depend on it. If the application uses the endpoint, the Allow is satisfied, but the Deny may still block if not HTTPS.
Trap 2: The bucket policy does not allow encryption in transit
The policy does enforce HTTPS via Deny, but that is not the issue; the issue is likely that the application is not using HTTPS.
Trap 3: The application is missing the required…
No such requirement in the policy.
- A
The application is not using the VPC endpoint
Why wrong: The Allow statement requires the VPC endpoint, but the Deny statement does not depend on it. If the application uses the endpoint, the Allow is satisfied, but the Deny may still block if not HTTPS.
- B
The bucket policy does not allow encryption in transit
Why wrong: The policy does enforce HTTPS via Deny, but that is not the issue; the issue is likely that the application is not using HTTPS.
- C
The application is using HTTP instead of HTTPS
The Deny statement blocks requests without SecureTransport, i.e., HTTP. The application may be using HTTP.
- D
The application is missing the required x-amz-server-side-encryption header
Why wrong: No such requirement in the policy.