AWS Certified Solutions Architect – Associate (SAA-C02) — Question 665

An application runs on an Amazon EC2 instance in a VPC. The application processes logs that are stored in an Amazon S3 bucket. The EC2 instance needs to access the S3 bucket without connectivity to the internet.
Which solution will provide private network connectivity to Amazon S3?

Answer options

• A. Create a gateway VPC endpoint to the S3 bucket.
• B. Stream the logs to Amazon CloudWatch Logs. Export the logs to the S3 bucket.
• C. Create an instance profile on Amazon EC2 to allow S3 access.
• D. Create an Amazon API Gateway API with a private link to access the S3 endpoint.

Correct answer: A

Explanation

A gateway VPC endpoint provides secure, private connectivity to Amazon S3 from within a VPC without requiring an internet gateway, NAT device, or VPN connection. While an IAM instance profile is necessary for authorization, it does not establish the underlying network path. Options B and D do not provide the direct, private network routing needed to access Amazon S3.