AWS Certified Solutions Architect – Associate (SAA-C03) — Question 962

A company runs an application in a private subnet behind an Application Load Balancer (ALB) in a VPC. The VPC has a NAT gateway and an internet gateway. The application calls the Amazon S3 API to store objects.

According to the company's security policy, traffic from the application must not travel across the internet.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Configure an S3 interface endpoint. Create a security group that allows outbound traffic to Amazon S3.
• B. Configure an S3 gateway endpoint. Update the VPC route table to use the endpoint.
• C. Configure an S3 bucket policy to allow traffic from the Elastic IP address that is assigned to the NAT gateway.
• D. Create a second NAT gateway in the same subnet where the legacy application is deployed. Update the VPC route table to use the second NAT gateway.

Correct answer: B

Explanation

An Amazon S3 gateway endpoint provides a secure, private connection to S3 without traversing the public internet, and it is offered at no additional cost, making it the most cost-effective solution. While an S3 interface endpoint also keeps traffic off the internet, it incurs hourly and data processing charges. Accessing S3 through a NAT gateway violates the security policy because the traffic travels over the public internet, and it also incurs extra NAT gateway data processing costs.