AWS Certified Solutions Architect – Associate (SAA-C03) — Question 89

A company has applications that run on Amazon EC2 instances in a VPC. One of the applications needs to call the Amazon S3 API to store and read objects. According to the company's security regulations, no traffic from the applications is allowed to travel across the internet.
Which solution will meet these requirements?

Answer options

• A. Configure an S3 gateway endpoint.
• B. Create an S3 bucket in a private subnet.
• C. Create an S3 bucket in the same AWS Region as the EC2 instances.
• D. Configure a NAT gateway in the same subnet as the EC2 instances.

Correct answer: A

Explanation

The correct answer is A, configuring an S3 gateway endpoint, which allows secure access to S3 without routing traffic over the internet. Option B is incorrect because an S3 bucket cannot be created in a private subnet; S3 is a regional service. Option C is not sufficient as it does not address the requirement of avoiding internet traffic. Option D is incorrect because a NAT gateway is used to allow outbound internet access, which contradicts the company's security regulations.