AWS Certified Solutions Architect – Associate (SAA-C03) — Question 994

A company deploys Amazon EC2 instances that run in a VPC. The EC2 instances load source data into Amazon S3 buckets so that the data can be processed in the future. According to compliance laws, the data must not be transmitted over the public internet. Servers in the company's on-premises data center will consume the output from an application that runs on the EC2 instances.

Which solution will meet these requirements?

Answer options

• A. Deploy an interface VPC endpoint for Amazon EC2. Create an AWS Site-to-Site VPN connection between the company and the VPC.
• B. Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between the on-premises network and the VPC.
• C. Set up an AWS Transit Gateway connection from the VPC to the S3 buckets. Create an AWS Site-to-Site VPN connection between the company and the VPC.
• D. Set up proxy EC2 instances that have routes to NAT gateways. Configure the proxy EC2 instances to fetch S3 data and feed the application instances.

Correct answer: B

Explanation

A gateway VPC endpoint for Amazon S3 allows the EC2 instances to securely and privately access S3 without routing traffic over the public internet. AWS Direct Connect establishes a private, dedicated network connection from the on-premises data center to the VPC, which ensures compliance for the consuming servers. Other options are incorrect because NAT gateways route traffic over the public internet, and AWS Transit Gateway cannot directly connect a VPC to Amazon S3 buckets.