AWS Certified Solutions Architect – Associate (SAA-C03) — Question 797

A company runs an AWS Lambda function in private subnets in a VPC. The subnets have a default route to the internet through an Amazon EC2 NAT instance. The Lambda function processes input data and saves its output as an object to Amazon S3.

Intermittently, the Lambda function times out while trying to upload the object because of saturated traffic on the NAT instance's network. The company wants to access Amazon S3 without traversing the internet.

Which solution will meet these requirements?

Answer options

• A. Replace the EC2 NAT instance with an AWS managed NAT gateway.
• B. Increase the size of the EC2 NAT instance in the VPC to a network optimized instance type.
• C. Provision a gateway endpoint for Amazon S3 in the VPUpdate the route tables of the subnets accordingly.
• D. Provision a transit gateway. Place transit gateway attachments in the private subnets where the Lambda function is running.

Correct answer: C

Explanation

Creating a gateway VPC endpoint for Amazon S3 establishes a private connection between the VPC and S3, routing traffic directly through the AWS network and bypassing the NAT instance and the public internet entirely. Modifying or replacing the NAT instance (Options A and B) still sends traffic over the internet and does not resolve the core requirement to avoid the public internet. AWS Transit Gateway (Option D) is designed for interconnecting multiple VPCs and on-premises networks, not for establishing private access to S3.