AWS Certified Security – Specialty — Question 373

A company has an AWS Lambda function that requires access to an Amazon S3 bucket. The company’s security policy requires that connections to Amazon S3 are over a private network and are secure.

The company has configured a gateway VPC endpoint in the VPC to allow access to Amazon S3. The company has configured the Lambda function to run inside the VPC. Additionally, the company has configured the Lambda function to use a private subnet that has a route to the internet through a NAT gateway.

Other resources in the VPC use this private subnet to access the internet successfully. When the Lambda function runs, it uses the NAT gateway instead of the gateway VPC endpoint to access Amazon S3.

What can a security engineer do to ensure that the Lambda function uses the gateway VPC endpoint for Amazon S3?

Answer options

• A. Remove the route to the NAT gateway within the route table of the private subnet that the Lambda function uses.
• B. Associate the gateway VPC endpoint with the route table of the private subnet that the Lambda function uses.
• C. Adjust the gateway VPC endpoint policy to allow access from the Lambda function’s network interface address.
• D. Configure the Lambda function’s security group to allow connections to the S3 network address space.

Correct answer: B

Explanation

For a gateway VPC endpoint to route traffic from a subnet, it must be associated with that subnet's route table, which automatically adds the correct prefix list route for Amazon S3. Without this association, traffic defaults to the 0.0.0.0/0 route pointing to the NAT gateway. Modifying endpoint policies or security groups will not correct the routing behavior if the route table does not direct S3 traffic to the gateway endpoint.