AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 353

A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?

Answer options

• A. Configure an AWS Direct Connect private virtual interface to the company's AWS VPC in us-west-2. Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
• B. Configure a VPN connection to the company's AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3.
• C. Configure a Direct Connect connection public virtual interface to us-west-2. Leverage an on-premises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection.
• D. Configure a VPN connection to the company's AWS VPC in us-west-2. Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.

Correct answer: A

Explanation

Option A is correct because utilizing an AWS Direct Connect private virtual interface coupled with an HTTPS proxy inside the VPC allows on-premises traffic to route privately through a VPC endpoint, ensuring S3 requests originate from private VPC IP addresses and comply with the bucket policy. Option C is incorrect because a public VIF routes traffic over public IP space, violating the bucket policy that blocks public IPs. Options B and D are incorrect because BGP cannot directly advertise S3 routes over a VPN, and NAT gateways translate traffic to public IPs which would be blocked by the bucket policy.