AWS Certified SysOps Administrator – Associate — Question 49

A global company handles a large amount of personally identifiable information (PII) through an internal web portal. The company’s application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the PII in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.

What should a SysOps administrator do to meet the compliance requirement?

Answer options

• A. Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.
• B. Configure AWS Network Firewall to redirect traffic to the internal S3 address.
• C. Modify the application to use the S3 path-style endpoint.
• D. Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.

Correct answer: A

Explanation

The correct answer is A because provisioning an interface VPC endpoint allows private connectivity to Amazon S3 without traversing the internet, meeting the compliance requirement. Option B is incorrect as AWS Network Firewall does not serve this purpose, option C does not ensure traffic stays off the internet, and option D does not provide a solution for direct private access to S3.