AWS Certified Solutions Architect – Associate (SAA-C02) — Question 556

A company has a document management application that contains PDF documents. The company hosts the application on Amazon EC2 instances. According to regulations, the instances must not have access to the internet. The application must be able to read and write to a persistent storage system that provides native versioning capabilities.
A solutions architect needs to design secure storage that maximizes resiliency and facilitates data sharing across instances.
Which solution meets these requirements?

Answer options

• A. Place the instances in a public subnet. Use Amazon S3 for storage. Access S3 objects by using URLs.
• B. Place the instances in a private subnet. Use Amazon S3 for storage. Use a VPC endpoint to access S3 objects.
• C. Use the instances with a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volume.
• D. Use Amazon Elastic File System (Amazon EFS) Standard-Infrequent Access (Standard-IA) to store data and provide shared access to the instances.

Correct answer: B

Explanation

Amazon S3 provides highly resilient, shared storage and features native object versioning to protect and track changes to PDF documents. By placing the Amazon EC2 instances in a private subnet and routing traffic through a VPC gateway endpoint, the application can securely read and write to S3 without any exposure to the internet. Other storage options like Amazon EBS and Amazon EFS do not offer native versioning, and using a public subnet violates the strict offline requirement.