AWS Certified Solutions Architect – Associate (SAA-C03) — Question 794

A company is expanding a secure on-premises network to the AWS Cloud by using an AWS Direct Connect connection. The on-premises network has no direct internet access. An application that runs on the on-premises network needs to use an Amazon S3 bucket.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Create a public virtual interface (VIF). Route the AWS traffic over the public VIF.
• B. Create a VPC and a NAT gateway. Route the AWS traffic from the on-premises network to the NAT gateway.
• C. Create a VPC and an Amazon S3 interface endpoint. Route the AWS traffic from the on-premises network to the S3 interface endpoint.
• D. Create a VPC peering connection between the on-premises network and Direct Connect. Route the AWS traffic over the peering connection.

Correct answer: C

Explanation

An Amazon S3 interface endpoint (AWS PrivateLink) allows private, cost-effective access to Amazon S3 from an on-premises network via AWS Direct Connect without needing public IP addresses or public VIFs. Using a NAT gateway requires internet routing which is not available, and VPC peering cannot be established directly to an on-premises network.