AWS Certified Solutions Architect – Professional — Question 714

A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.
• B. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC.
• C. Create an Amazon S3 interface endpoint in the networking account.
• D. Create an Amazon S3 gateway endpoint in the networking account.
• E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.

Correct answer: A, C

Explanation

To transfer data privately from on-premises to Amazon S3 without internet access, a dedicated connection like AWS Direct Connect with a private VIF is required to securely reach a private VPC in AWS. Once connected, an Amazon S3 interface endpoint (powered by AWS PrivateLink) must be deployed in the VPC, as it provides private IP addresses that can be routed directly from the on-premises network. Gateway endpoints (Option D) are not natively routable from on-premises networks over a private VIF, and a public VIF (Option B) would expose the traffic to public AWS endpoints rather than keeping it entirely within a private network path.