AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 373

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

Answer options

• A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
• B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
• C. Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.
• D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3.

Correct answer: C

Explanation

Using an AWS-managed prefix-list in the security group outbound rules is the most efficient solution because AWS automatically maintains the list of IP addresses for Amazon S3, eliminating the need for manual or scripted updates. Option A is overly complex and requires maintaining custom code, while Option B addresses routing rather than the security group restriction causing the timeouts. Option D is incorrect because the issue is caused by firewall blocking due to changed IPs, not endpoint throughput limits.