AWS Certified Data Engineer Associate DEA-C01 Practice Question
An Amazon Redshift cluster runs in private subnets without a NAT gateway. The cluster must query only the objects in the s3://dept-finance/raw/ prefix by using Redshift Spectrum. A VPC interface endpoint (AWS PrivateLink) for Amazon S3 already exists in the subnets. Which action enforces this restriction while leaving other VPC workloads unaffected?
Replace the interface endpoint with an S3 gateway endpoint, associate it with the private subnets, and create a bucket policy that limits access to the raw/ prefix.
Modify the Redshift cluster's IAM role to allow s3:GetObject on dept-finance/raw/* and s3:ListBucket on the dept-finance bucket, leaving the endpoint configuration unchanged.
Add a bucket policy on the dept-finance bucket that allows GetObject only from the specified VPC endpoint and raw/ prefix while denying all other access paths.
Attach a custom IAM endpoint policy to the S3 interface VPC endpoint that permits s3:GetObject on arn:aws:s3:::dept-finance/raw/*, s3:ListBucket on arn:aws:s3:::dept-finance, and denies all other S3 actions.
Attaching a custom endpoint policy to the S3 interface endpoint restricts the actions that can be performed through that endpoint only. By allowing s3:GetObject and s3:ListBucket on arn:aws:s3:::dept-finance/raw/* and the bucket respectively, and denying other S3 permissions, the Redshift Spectrum query is limited to the required prefix. Redshift Spectrum requires both ListBucket and GetObject permissions to function. Other workloads that reach S3 through public endpoints or a different gateway are not affected because the endpoint policy is evaluated only when the interface endpoint is used. A bucket policy would impact every caller, changing the behavior for other workloads. Replacing the endpoint is unnecessary and costly. Changing only the Redshift role is a less secure option because the endpoint policy creates a network-level boundary that cannot be bypassed, even by a principal with overly permissive IAM credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between an S3 interface endpoint and S3 gateway endpoint?
Open an interactive chat with Bash
Why are both `s3:GetObject` and `s3:ListBucket` permissions required for Redshift Spectrum?
Open an interactive chat with Bash
How does an IAM endpoint policy differ from a bucket policy?
Open an interactive chat with Bash
What is an S3 interface VPC endpoint?
Open an interactive chat with Bash
Why is an IAM endpoint policy better than a bucket policy in this scenario?
Open an interactive chat with Bash
Why is `ListBucket` permission necessary for Redshift Spectrum?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .