AWS Certified Solutions Architect – Associate (SAA-C03) — Question 330

An application that is hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Traffic must not traverse the internet.

How should a solutions architect configure access to meet these requirements?

Answer options

• A. Create a private hosted zone by using Amazon Route 53.
• B. Set up a gateway VPC endpoint for Amazon S3 in the VPC.
• C. Configure the EC2 instances to use a NAT gateway to access the S3 bucket.
• D. Establish an AWS Site-to-Site VPN connection between the VPC and the S3 bucket.

Correct answer: B

Explanation

A gateway VPC endpoint provides private connectivity from a VPC to Amazon S3 without requiring an internet gateway or NAT gateway, keeping all traffic within the AWS global network. A NAT gateway still routes traffic over the internet to reach the public S3 endpoints, while Route 53 private hosted zones and Site-to-Site VPNs do not address private S3 connectivity from within a VPC.