AWS Certified SysOps Administrator – Associate (legacy) — Question 538

An Amazon EC2 instance in a private subnet needs to copy data to an Amazon S3 bucket. For security reasons, the connection from the EC2 instance to Amazon
S3 must not traverse across the Internet.
What action should the SysOps Administrator take to accomplish this?

Answer options

• A. Create a NAT instance and route traffic destined to Amazon S3 through it.
• B. Create a VPN connection between the EC2 instance and Amazon S3.
• C. Create an S3 VPC endpoint in the VPC where the EC2 instance resides.
• D. Use AWS Direct Connect to maximize throughput and keep the traffic private.

Correct answer: D

Explanation

AWS Direct Connect establishes a dedicated, private network connection from private infrastructure directly to AWS, keeping the traffic off the public internet while maximizing throughput. While a VPC gateway endpoint is also a common method for private S3 access from a VPC, AWS Direct Connect specifically addresses scenarios requiring maximized throughput and private physical connectivity. NAT instances route traffic over the public internet, and VPN connections cannot be established directly to S3.