AWS Certified Solutions Architect – Associate (SAA-C02) — Question 430

A company is designing a new application that runs in a VPC on Amazon EC2 instances. The application stores data in Amazon S3 and uses Amazon DynamoDB as its database. For compliance reasons, the company prohibits all traffic between the EC2 instances and other AWS services from passing over the public internet.
What can a solutions architect do to meet this requirement?

Answer options

• A. Configure gateway VPC endpoints to Amazon S3 and DynamoDB.
• B. Configure interface VPC endpoints to Amazon S3 and DynamoDB.
• C. Configure a gateway VPC endpoint to Amazon S3. Configure an interface VPC endpoint to DynamoDB.
• D. Configure a gateway VPC endpoint to DynamoDB. Configure an interface VPC endpoint to Amazon S3.

Correct answer: A

Explanation

Gateway VPC endpoints provide private connectivity from a VPC to Amazon S3 and Amazon DynamoDB without traversing the public internet. Because Amazon DynamoDB only supports gateway endpoints and does not support interface endpoints, options B, C, and D are incorrect. Implementing gateway VPC endpoints for both services is the correct and fully supported method to meet the compliance requirement.