AWS Certified Solutions Architect – Associate (SAA-C02) — Question 422

A company recently launched a new service that involves medical images. The company scans the images and sends them from its on-premises data center through an AWS Direct Connect connection to Amazon EC2 instances. After processing is complete, the images are stored in an Amazon S3 bucket.
A company requirement states that the EC2 instances cannot be accessible through the internet. The EC2 instances run in a private subnet, which has a default route back to the on-premises data center for outbound internet access.
Usage of the new service is increasing rapidly. A solutions architect must recommend a solution that meets the company's requirements and reduces the Direct
Connect charges.
Which solution accomplishes these goals MOST cost-effectively?

Answer options

• A. Configure a VPC endpoint for Amazon S3. Add an entry to the private subnet's route table for the S3 endpoint.
• B. Configure a NAT gateway in a public subnet. Configure the private subnet's route table to use the NAT gateway.
• C. Configure Amazon S3 as a file system mount point on the EC2 instances. Access Amazon S3 through the mount.
• D. Move the EC2 instances into a public subnet. Configure the public subnet route table to point to an internet gateway.

Correct answer: B

Explanation

Configuring a NAT gateway in a public subnet and routing the private subnet's outbound traffic through it redirects the Amazon S3 upload traffic away from the AWS Direct Connect path. This prevents high Direct Connect egress charges while keeping the Amazon EC2 instances securely isolated in the private subnet. Other options either fail to maintain the isolation requirement or are less optimal for routing outbound traffic directly to AWS services.