AWS Certified Solutions Architect – Associate (SAA-C02) — Question 673

A medical records company is hosting an application on Amazon EC2 instances. The application processes customer data files that are stored on Amazon S3.
The EC2 instances are hosted in public subnets. The EC2 instances access Amazon S3 over the Internet, but they do not require any other network access.
A new requirement mandates that the network traffic for file transfers take a private route and not be sent over the Internet.
Which change to the network architecture should a solutions architect recommend to meet this requirement?

Answer options

• A. Create a NAT gateway. Configure the route table for the public subnets to send traffic to Amazon S3 through the NAT gateway.
• B. Configure the security group for the EC2 instances to restrict outbound traffic so that only traffic to the S3 prefix list is permitted
• C. Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table for the private subnets.
• D. Remove the internet gateway from the VPC. Set up an AWS Direct Connect connection, and route traffic to Amazon S3 over the Direct Connect connection.

Correct answer: C

Explanation

Shifting the Amazon EC2 instances to private subnets and establishing an Amazon S3 VPC gateway endpoint ensures that all traffic to S3 is routed entirely within the AWS network, satisfying the privacy requirement. Option A is incorrect because a NAT gateway still routes traffic over the internet to access S3. Option B only restricts traffic at the firewall level but does not create a private route, while Option D is an unnecessarily complex and costly solution involving physical on-premises connectivity that is not needed here.