AWS Certified Solutions Architect – Associate (SAA-C02) — Question 248

A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief information security officer has directed that no application traffic between the two services should traverse the public internet.
Which capability should the solutions architect use to meet the compliance requirements?

Answer options

• A. AWS Key Management Service (AWS KMS)
• B. VPC endpoint
• C. Private subnet
• D. Virtual private gateway

Correct answer: B

Explanation

The correct answer is B, VPC endpoint, which allows private connections between Amazon EC2 and Amazon S3 without traversing the public internet, thus meeting the compliance requirements. Option A, AWS Key Management Service, is used for managing encryption keys but does not affect traffic routing. Option C, Private subnet, is related to network configuration but does not provide a direct connection to S3. Option D, Virtual private gateway, is mainly for VPN connections and does not apply to the direct traffic flow between EC2 and S3.