AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 31

A finance company stores confidential data in an Amazon S3 bucket. The company uses Amazon QuickSight to analyze the data and create dashboard reports. The company requires that all data access and connections to QuickSight remain within the company's VPC network boundary.
Which solution will meet these requirements?

Answer options

• A. Create an interface VPC endpoint for QuickSight. Configure the endpoint to connect to QuickSight within the VPC by using AWS PrivateLink. Create a manifest file that points to the S3 data. Grant QuickSight permission to access the S3 bucket.
• B. Set up a VPC endpoint for QuickSight. Use an Amazon EC2 instance as a proxy to establish a direct connection between the VPC and QuickSight. Create a manifest file that points to the S3 data. Store the manifest on the EC2 instance. Grant QuickSight permission to access the EC2 instance.
• C. Configure an Amazon S3 VPC gateway endpoint. Route all data from QuickSight through the endpoint to transfer data. Grant QuickSight permission to access the S3 bucket.
• D. Configure a NAT gateway in the company’s VPC. Route all data from QuickSight through the NAT gateway to transfer data. Grant QuickSight permission to access the S3 bucket.

Correct answer: A

Explanation

The correct answer is A because creating an interface VPC endpoint allows QuickSight to access the S3 bucket securely within the VPC using AWS PrivateLink, ensuring compliance with the network boundary requirement. Options B and C introduce unnecessary complexity and do not provide a direct integration with QuickSight like option A. Option D, using a NAT gateway, does not keep the connection entirely within the VPC as required.