The application of a business is hosted in a VPC and sensitive data is stored in Amazon S3. Amazon EC2 instances for the

[answerhappygod]

The application of a business is hosted in a VPC and sensitive data is stored in Amazon S3. Amazon EC2 instances for the application are situated in a private subnet, with a NAT gateway on a public network providing access to Amazon S3. S3 buckets are stored in the same AWS Region as EC2 instances. The organization want to restrict access to this bucket to the VPC in where the application lives.

Which modifications to the design should a network engineer make to fulfill these requirements?

A. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.
B. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.
D. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.