AWS Certified Solutions Architect – Associate (SAA-C03) — Question 499

A company has a service that reads and writes large amounts of data from an Amazon S3 bucket in the same AWS Region. The service is deployed on Amazon EC2 instances within the private subnet of a VPC. The service communicates with Amazon S3 over a NAT gateway in the public subnet. However, the company wants a solution that will reduce the data output costs.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Provision a dedicated EC2 NAT instance in the public subnet. Configure the route table for the private subnet to use the elastic network interface of this instance as the destination for all S3 traffic.
• B. Provision a dedicated EC2 NAT instance in the private subnet. Configure the route table for the public subnet to use the elastic network interface of this instance as the destination for all S3 traffic.
• C. Provision a VPC gateway endpoint. Configure the route table for the private subnet to use the gateway endpoint as the route for all S3 traffic.
• D. Provision a second NAT gateway. Configure the route table for the private subnet to use this NAT gateway as the destination for all S3 traffic.

Correct answer: C

Explanation

Creating a VPC gateway endpoint for Amazon S3 allows EC2 instances in the private subnet to access S3 directly using private IP addresses, which incurs no data processing or data transfer charges for traffic within the same region. In contrast, using a NAT gateway (or multiple NAT gateways) incurs standard data processing charges per gigabyte, making it highly expensive for large data transfers. Deploying EC2 NAT instances also introduces management overhead and does not eliminate data transfer costs as effectively as a free VPC gateway endpoint.