AWS Certified Solutions Architect – Associate (SAA-C03) — Question 947

A company runs its legacy web application on AWS. The web application server runs on an Amazon EC2 instance in the public subnet of a VPC. The web application server collects images from customers and stores the image files in a locally attached Amazon Elastic Block Store (Amazon EBS) volume. The image files are uploaded every night to an Amazon S3 bucket for backup.

A solutions architect discovers that the image files are being uploaded to Amazon S3 through the public endpoint. The solutions architect needs to ensure that traffic to Amazon S3 does not use the public endpoint.

Which solution will meet these requirements?

Answer options

• A. Create a gateway VPC endpoint for the S3 bucket that has the necessary permissions for the VPC. Configure the subnet route table to use the gateway VPC endpoint.
• B. Move the S3 bucket inside the VPC. Configure the subnet route table to access the S3 bucket through private IP addresses.
• C. Create an Amazon S3 access point for the Amazon EC2 instance inside the VPConfigure the web application to upload by using the Amazon S3 access point.
• D. Configure an AWS Direct Connect connection between the VPC that has the Amazon EC2 instance and Amazon S3 to provide a dedicated network path.

Correct answer: A

Explanation

A gateway VPC endpoint provides private connectivity from a VPC to Amazon S3 by routing traffic through the AWS internal network instead of the public internet. Amazon S3 is a regional service and cannot be deployed inside a VPC, making Option B incorrect. Amazon S3 access points do not alter the underlying network path on their own, and AWS Direct Connect is designed for hybrid cloud connectivity rather than internal VPC-to-S3 routing.