AWS Certified Solutions Architect – Associate (SAA-C02) — Question 599

A company runs an AWS Lambda function in private subnets in a VPC. The subnets have a default route to the internet through an Amazon EC2 NAT instance.
The Lambda function processes input data and saves its output as an object to Amazon S3.
Intermittently, the Lambda function times out while trying to upload the object because of saturated traffic on the NAT instance's network. The company wants to access Amazon S3 without traversing the internet.
Which solution will meet these requirements?

Answer options

• A. Replace the EC2 NAT instance with an AWS managed NAT gateway.
• B. Increase the size of the EC2 NAT instance in the VPC to a network optimized instance type.
• C. Provision a gateway endpoint for Amazon S3 in the VPC. Update the route tables of the subnets accordingly.
• D. Provision a transit gateway. Place transit gateway attachments in the private subnets where the Lambda function is running.

Correct answer: C

Explanation

Creating a gateway VPC endpoint for Amazon S3 allows traffic to flow directly from the private subnets to S3 using private AWS routing, completely bypassing the internet and the congested NAT instance. Modifying the EC2 NAT instance or replacing it with a NAT gateway still routes traffic over the internet and does not address the requirement to avoid internet traversal. Transit Gateway is used for interconnecting VPCs and on-premises networks, not for direct, private S3 access.