AWS Certified SysOps Administrator – Associate — Question 225

A company has deployed an application on Amazon EC2 instances in a single VPC. The company has placed the EC2 instances in a private subnet in the VPC.

The EC2 instances need access to Amazon S3 buckets that are in the same AWS Region as the EC2 instances. A SysOps administrator must provide the EC2 instances with access to the S3 buckets without requiring any changes to the EC2 instances or the application. The EC2 instances must not have access to the internet.

Which solution will meet these requirements?

Answer options

• A. Create an S3 gateway endpoint that uses the default gateway endpoint policy. Associate the private subnet with the gateway endpoint.
• B. Create an S3 interface endpoint. Associate the EC2 instances with the interface endpoint.
• C. Configure a NAT gateway. Associate the private subnet with the NAT gateway.
• D. Configure a proxy EC2 instance. Update the private subnet route tables to route traffic through the proxy EC2 instance. Configure the proxy to route all S3 requests to the target S3 bucket.

Correct answer: A

Explanation

The correct answer is A because creating an S3 gateway endpoint allows traffic to flow directly from the private subnet to the S3 buckets without requiring internet access. Options B and C are incorrect as they either involve an interface endpoint that is not necessary for this case or require internet access through a NAT gateway. Option D is also not suitable, as it unnecessarily complicates the architecture by introducing a proxy EC2 instance.