AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 371

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a `backdoor`, and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?

Answer options

• A. AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.
• B. Direct Connect customers with a Public VIF in the same region could directly reach the router.
• C. EC2 instances in the same region with access to the Internet could directly reach the router.
• D. The S3 service could reach the router through a pre-configured VPC Endpoint.

Correct answer: A

Explanation

When using a Public VIF with AWS-owned public IP addresses, AWS advertises these IP prefixes to the public Internet via BGP. This means the customer's on-premises router becomes reachable from any location on the Internet, creating a significant security risk if proper firewall rules are not implemented. Other options do not accurately represent the primary routing and exposure behavior associated with AWS Public VIF address allocation.