AWS Certified Solutions Architect – Associate (SAA-C02) — Question 358

A company has several Amazon EC2 instances set up in a private subnet for security reasons. These instances host applications that read and write large amounts of data to and from Amazon S3 regularly. Currently, subnet routing directs all the traffic destined for the internet through a NAT gateway. The company wants to optimize the overall cost without impacting the ability of the application to communicate with Amazon S3 or the outside internet.
What should a solutions architect do to optimize costs?

Answer options

• A. Create an additional NAT gateway. Update the route table to route to the NAT gateway. Update the network ACL to allow S3 traffic.
• B. Create an internet gateway. Update the route table to route traffic to the internet gateway. Update the network ACL to allow S3 traffic.
• C. Create a VPC endpoint for Amazon S3. Attach an endpoint policy to the endpoint. Update the route table to direct traffic to the VPC endpoint.
• D. Create an AWS Lambda function outside of the VPC to handle S3 requests. Attach an IAM policy to the EC2 instances, allowing them to invoke the Lambda function.

Correct answer: C

Explanation

Creating a Gateway VPC endpoint for Amazon S3 allows EC2 instances in a private subnet to access S3 directly without traversing the NAT gateway, which eliminates NAT gateway data processing charges for S3 traffic. This solution is free of charge and keeps the traffic within the AWS network, optimizing costs while maintaining security. Other options either increase costs, like adding another NAT gateway, or compromise security by routing traffic directly through an internet gateway.