AWS Certified Solutions Architect – Professional (SAP-C02) — Question 38

A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. Each Availability Zone contains one public subnet and one private subnet.

The service runs on Amazon EC2 instances in the private subnets. An Application Load Balancer in the public subnets is in front of the service. The service needs to communicate with the internet and does so through two NAT gateways. The service uses Amazon S3 for image storage. The EC2 instances retrieve approximately 1 ТВ of data from an S3 bucket each day.

The company has promoted the service as highly secure. A solutions architect must reduce cloud expenditures as much as possible without compromising the service’s security posture or increasing the time spent on ongoing operations.

Which solution will meet these requirements?

Answer options

• A. Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.
• B. Move the EC2 instances to the public subnets. Remove the NAT gateways.
• C. Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.
• D. Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the images on the EFS volume.

Correct answer: C

Explanation

Option C is the correct choice as it allows the EC2 instances to access S3 directly without incurring NAT gateway costs, thus reducing expenditures while maintaining security. Option A would still incur costs associated with NAT instances, and Option B compromises security by exposing EC2 instances directly to the internet. Option D introduces additional complexity and doesn't address the cost-saving requirement effectively.