AWS Certified Solutions Architect – Associate (SAA-C02) — Question 366

A company's application hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Due to data sensitivity, traffic cannot traverse the internet.
How should a solutions architect configure access?

Answer options

• A. Create a private hosted zone using Amazon Route 53.
• B. Configure a VPC gateway endpoint for Amazon S3 in the VPC.
• C. Configure AWS PrivateLink between the EC2 instance and the S3 bucket.
• D. Set up a site-to-site VPN connection between the VPC and the S3 bucket.

Correct answer: B

Explanation

A VPC gateway endpoint enables Amazon EC2 instances inside a VPC to connect privately to Amazon S3 without traversing the public internet. This routes all traffic through the AWS internal network automatically and securely. Other options, such as Route 53 private hosted zones or Site-to-Site VPNs, do not establish the required private path to S3.