AWS Certified Solutions Architect – Associate (SAA-C02) — Question 9

A company has application running on Amazon EC2 instances in a VPC. One of the applications needs to call an Amazon S3 API to store and read objects. The company's security policies restrict any internet-bound traffic from the applications.
Which action will fulfill these requirements and maintain security?

Answer options

• A. Configure an S3 interface endpoint.
• B. Configure an S3 gateway endpoint.
• C. Create an S3 bucket in a private subnet.
• D. Create an S3 bucket in the same Region as the EC2 instance.

Correct answer: B

Explanation

The correct answer is B, as configuring an S3 gateway endpoint allows the EC2 instances to access S3 without needing an internet connection, thus adhering to the company's security policies. Option A is incorrect because an S3 interface endpoint is not required for this scenario, while options C and D do not address the need to maintain security by avoiding internet-bound traffic.