AWS Certified Solutions Architect – Associate (SAA-C03) — Question 495

A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief information security officer has directed that no application traffic between the two services should traverse the public internet.

Which capability should the solutions architect use to meet the compliance requirements?

Answer options

• A. AWS Key Management Service (AWS KMS)
• B. VPC endpoint
• C. Private subnet
• D. Virtual private gateway

Correct answer: B

Explanation

A VPC endpoint enables private connectivity between your VPC and Amazon S3, routing traffic through the AWS network instead of the public internet. While a private subnet secures EC2 instances, it still requires a VPC endpoint to reach S3 privately. AWS KMS is used for encryption key management, and a virtual private gateway is for VPN/Direct Connect connections, neither of which resolves the S3 routing requirement.