AWS Certified Solutions Architect – Associate (SAA-C03) — Question 553

A company runs an application in a VPC with public and private subnets. The VPC extends across multiple Availability Zones. The application runs on Amazon EC2 instances in private subnets. The application uses an Amazon Simple Queue Service (Amazon SQS) queue.

A solutions architect needs to design a secure solution to establish a connection between the EC2 instances and the SQS queue.

Which solution will meet these requirements?

Answer options

• A. Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the private subnets. Add to the endpoint a security group that has an inbound access rule that allows traffic from the EC2 instances that are in the private subnets.
• B. Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the public subnets. Attach to the interface endpoint a VPC endpoint policy that allows access from the EC2 instances that are in the private subnets.
• C. Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the public subnets. Attach an Amazon SQS access policy to the interface VPC endpoint that allows requests from only a specified VPC endpoint.
• D. Implement a gateway endpoint for Amazon SQS. Add a NAT gateway to the private subnets. Attach an IAM role to the EC2 instances that allows access to the SQS queue.

Correct answer: A

Explanation

Amazon SQS supports interface VPC endpoints powered by AWS PrivateLink, allowing EC2 instances in private subnets to securely connect to SQS without routing traffic through the public internet. To implement this securely, the interface endpoint must be placed in the private subnets with a security group that permits inbound traffic from the EC2 instances. Gateway endpoints are incorrect because they are only supported for Amazon S3 and Amazon DynamoDB, not Amazon SQS.