AWS Certified Solutions Architect – Associate (SAA-C03) — Question 618

A company is moving its data and applications to AWS during a multiyear migration project. The company wants to securely access data on Amazon S3 from the company's AWS Region and from the company's on-premises location. The data must not traverse the internet. The company has established an AWS Direct Connect connection between its Region and its on-premises location.

Which solution will meet these requirements?

Answer options

• A. Create gateway endpoints for Amazon S3. Use the gateway endpoints to securely access the data from the Region and the on-premises location.
• B. Create a gateway in AWS Transit Gateway to access Amazon S3 securely from the Region and the on-premises location.
• C. Create interface endpoints for Amazon S3. Use the interface endpoints to securely access the data from the Region and the on-premises location.
• D. Use an AWS Key Management Service (AWS KMS) key to access the data securely from the Region and the on-premises location.

Correct answer: C

Explanation

Interface endpoints (AWS PrivateLink) allow on-premises resources to access Amazon S3 securely over AWS Direct Connect without traversing the public internet, whereas gateway endpoints cannot be accessed directly from on-premises locations. AWS Transit Gateway and AWS KMS do not inherently provide the private network connectivity required to route S3 traffic privately from on-premises.