AWS Certified Security – Specialty (SCS-C02) — Question 149

A company has two AWS accounts: Account A and Account B. Each account has a VPC. An application that runs in the VPC in Account A needs to write to an Amazon S3 bucket in Account B. The application in Account A already has permission to write to the S3 bucket in Account B.

The application and the S3 bucket are in the same AWS Region. The company cannot send network traffic over the public internet.

Which solution will meet these requirements?

Answer options

• A. In both accounts, create a transit gateway and VPC attachments in a subnet in each Availability Zone. Update the VPC route tables.
• B. Deploy a software VPN appliance in Account A. Create a VPN connection between the software VPN appliance and a virtual private gateway in Account B.
• C. Create a VPC peering connection between the VPC in Account A and the VPC in Account B. Update the VPC route tables, network ACLs, and security groups to allow network traffic between the peered IP ranges
• D. In Account A, create a gateway VPC endpoint for Amazon S3. Update the VPC route table in Account A.

Correct answer: D

Explanation

The correct answer is D because creating a gateway VPC endpoint for Amazon S3 in Account A allows the application to access the S3 bucket in Account B directly without traversing the public internet. Options A, B, and C involve more complex networking setups that are unnecessary given the requirement to access S3 directly within the same region.