AWS Certified Solutions Architect – Associate (SAA-C02) — Question 344

A company has an application that runs on Amazon EC2 instances within a private subnet in a VPC. The instances access data in an Amazon S3 bucket in the same AWS Region. The VPC contains a NAT gateway in a public subnet to access the S3 bucket. The company wants to reduce costs by replacing the NAT gateway without compromising security or redundancy.
Which solution meets these requirements?

Answer options

• A. Replace the NAT gateway with a NAT instance.
• B. Replace the NAT gateway with an internet gateway.
• C. Replace the NAT gateway with a gateway VPC endpoint.
• D. Replace the NAT gateway with an AWS Direct Connect connection.

Correct answer: C

Explanation

A gateway VPC endpoint provides a highly available, secure, and cost-effective connection to Amazon S3 directly from the VPC without requiring a NAT gateway, eliminating its associated hourly and data processing charges. Replacing the NAT gateway with a NAT instance compromises redundancy unless complex high-availability architectures are implemented, while an internet gateway requires public IP addresses and direct internet access, compromising security. AWS Direct Connect is intended for on-premises connectivity and does not address this internal VPC-to-S3 routing requirement cost-effectively.