AWS Certified Solutions Architect – Associate (SAA-C03) — Question 992

A company has an application that runs on Amazon EC2 instances in a private subnet. The application needs to process sensitive information from an Amazon S3 bucket. The application must not use the internet to connect to the S3 bucket.

Which solution will meet these requirements?

Answer options

• A. Configure an internet gateway. Update the S3 bucket policy to allow access from the internet gateway. Update the application to use the new internet gateway.
• B. Configure a VPN connection. Update the S3 bucket policy to allow access from the VPN connection. Update the application to use the new VPN connection.
• C. Configure a NAT gateway. Update the S3 bucket policy to allow access from the NAT gateway. Update the application to use the new NAT gateway.
• D. Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint.

Correct answer: D

Explanation

A VPC endpoint enables private connectivity between your VPC and supported AWS services, such as Amazon S3, keeping all traffic within the AWS network and avoiding the public internet. Other solutions like internet gateways or NAT gateways require routing traffic externally, which violates the requirement to avoid the internet. A VPN connection is designed for connecting on-premises networks to AWS and is not the correct solution for internal VPC-to-S3 communication.