Block outbound access to public S3 endpoints on the proxy server. Configure Network ACLs on Server X to deny access to S3 endpoints. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server. Remove the IAM instance role from the application server and save API access keys in a AWS Dumps trusted and encrypted application config file. 10. A company will store sensitive documents in three Amazon S3 buckets based on a data classification scheme of “Sensitive,” “Confidential,” and “AWS Dumps Restricted.” The security solution must meet all of the following requirements: Each object must be encrypted using a unique key. Items that are stored in the “Restricted” bucket require two-factor authentication for decryption.