AWS Certified Solutions Architect – Associate (SAA-C02) — Question 576

An application that is hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Traffic must not traverse the internet.
How should a solutions architect configure access to meet these requirements?

Answer options

• A. Create a private hosted zone by using Amazon Route 53.
• B. Set up a gateway VPC endpoint for Amazon S3 in the VPC.
• C. Configure the EC2 instances to use a NAT gateway to access the S3 bucket.
• D. Establish an AWS Site-to-Site VPN connection between the VPC and the S3 bucket.

Correct answer: B

Explanation

A gateway VPC endpoint provides secure, private connectivity to Amazon S3 from within a VPC without requiring an internet gateway or NAT gateway, ensuring traffic never traverses the public internet. In contrast, a NAT gateway routes traffic over the internet, which violates the security requirements. Amazon Route 53 private hosted zones and AWS Site-to-Site VPNs do not facilitate direct, private VPC-to-S3 routing.