AWS Certified Solutions Architect – Associate (SAA-C03) — Question 813

A company runs a web application on multiple Amazon EC2 instances in a VPC. The application needs to write sensitive data to an Amazon S3 bucket. The data cannot be sent over the public internet.

Which solution will meet these requirements?

Answer options

• A. Create a gateway VPC endpoint for Amazon S3. Create a route in the VPC route table to the endpoint.
• B. Create an internal Network Load Balancer that has the S3 bucket as the target.
• C. Deploy the S3 bucket inside the VPCreate a route in the VPC route table to the bucket.
• D. Create an AWS Direct Connect connection between the VPC and an S3 regional endpoint.

Correct answer: A

Explanation

Creating a gateway VPC endpoint for Amazon S3 allows EC2 instances within a VPC to securely communicate with S3 buckets over the AWS private network, bypassing the public internet entirely. This solution requires updating the VPC route table so that traffic destined for S3 is directed to the gateway endpoint. Other options are invalid because S3 buckets cannot be deployed inside a VPC, Network Load Balancers do not support S3 buckets as targets, and AWS Direct Connect is designed for connecting on-premises data centers to AWS rather than internal VPC-to-S3 routing.