A company has created a set of AWS Lambda functions to automate incident response steps f…

Question

A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then write a summary to an Amazon S3 bucket. The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet. All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet. Which solution will meet these requirements?

Accepted Answer

Correct answer: B. B. Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service. — The correct answer is B because creating an S3 gateway endpoint allows the Lambda functions in the private subnet to access Amazon S3 directly over the AWS network, ensuring that traffic does not go over the internet. Option A would still direct traffic through the NAT gateway, which is not aligned with the requirement for AWS-only traffic. Option C incorrectly suggests placing both resources in the same subnet, which does not resolve the traffic routing issue, while Option D introduces unnecessary complexity by involving SQS and does not directly address the requirement for S3 access.

AWS Certified Security – Specialty (SCS-C02) — Question 168

Answer options

Correct answer: B

Explanation