AWS Certified SysOps Administrator – Associate (legacy) — Question 623

A SysOps Administrator must remove public IP addresses from all Amazon EC2 instances to prevent exposure to the internet. However, many corporate applications running on those EC2 instances need to access Amazon S3 buckets. The Administrator is tasked with allowing the EC2 instances to continue to access the S3 buckets.
Which solutions can be used? (Choose two.)

Answer options

• A. Deploy a NAT gateway, and configure the route tables accordingly in the VPC where the EC2 instances are running.
• B. Modify the network ACLs with private IP addresses in the routes to connect to Amazon S3.
• C. Modify the security groups on the EC2 instances with private IP addresses in the routes to connect to Amazon S3.
• D. Set up AWS Direct Connect, and configure a virtual interface between the EC2 instances and the S3 buckets.
• E. Set up a VPC endpoint in the VPC where the EC2 instances are running, and configure the route tables accordingly.

Correct answer: A, E

Explanation

A NAT gateway enables instances in private subnets to securely connect to S3 by translating private IPs to a public IP at the gateway level. Alternatively, a VPC gateway endpoint allows private EC2 instances to route traffic directly to S3 within the AWS network without traversing the public internet. Other options like modifying security groups or network ACLs do not provide routing capabilities, and Direct Connect is designed for hybrid on-premises connectivity.