AWS Certified Solutions Architect – Associate (SAA-C03) — Question 801

A solutions architect is creating an application. The application will run on Amazon EC2 instances in private subnets across multiple Availability Zones in a VPC. The EC2 instances will frequently access large files that contain confidential information. These files are stored in Amazon S3 buckets for processing. The solutions architect must optimize the network architecture to minimize data transfer costs.

What should the solutions architect do to meet these requirements?

Answer options

• A. Create a gateway endpoint for Amazon S3 in the VPC. In the route tables for the private subnets, add an entry for the gateway endpoint.
• B. Create a single NAT gateway in a public subnet. In the route tables for the private subnets, add a default route that points to the NAT gateway.
• C. Create an AWS PrivateLink interface endpoint for Amazon S3 in the VPIn the route tables for the private subnets, add an entry for the interface endpoint.
• D. Create one NAT gateway for each Availability Zone in public subnets. In each of the route tables for the private subnets, add a default route that points to the NAT gateway in the same Availability Zone.

Correct answer: A

Explanation

Amazon S3 Gateway Endpoints are available at no additional cost and do not incur data transfer or data processing fees, making them the most cost-effective option for accessing S3 from a VPC. In contrast, using NAT Gateways or AWS PrivateLink Interface Endpoints introduces hourly charges and per-gigabyte data processing fees, which would significantly increase costs when transferring large files. Therefore, creating a gateway endpoint and updating the private subnet route tables is the optimal solution.