AWS Certified Solutions Architect – Associate (SAA-C02) — Question 585

A company deploys Amazon EC2 instances that run in a VPC. The EC2 instances load source data into Amazon S3 buckets so that the data can be processed in the future. According to compliance laws, the data must not be transmitted over the public internet. Servers in the company's on-premises data center will consume the output from an application that runs on the EC2 instances.
Which solution will meet these requirements?

Answer options

• A. Deploy an interface VPC endpoint for Amazon EC2. Create an AWS Site-to-Site VPN connection between the company and the VPC.
• B. Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between the on-premises network and the VPC.
• C. Set up an AWS Transit Gateway connection from the VPC to the S3 buckets. Create an AWS Site-to-Site VPN connection between the company and the VPC.
• D. Set up proxy EC2 instances that have routes to NAT gateways. Configure the proxy EC2 instances to fetch S3 data and feed the application instances.

Correct answer: B

Explanation

A gateway VPC endpoint for Amazon S3 allows EC2 instances to securely transfer data to S3 buckets over the private AWS network, avoiding the public internet. Additionally, AWS Direct Connect establishes a dedicated, private physical network connection between the on-premises data center and the VPC to keep the output retrieval off the public internet. Other options fail because NAT gateways and Site-to-Site VPNs traverse the public internet, or they propose invalid routing architectures.