AWS Certified SysOps Administrator – Associate (legacy) — Question 642

A security officer has requested that internet access be removed from subnets in a VPC. The subnets currently route internet-bound traffic to a NAT gateway. A
SysOps administrator needs to remove this access while allowing access to Amazon S3.
Which solution will meet these requirements?

Answer options

• A. Set up an internet gateway. Update the route table on the subnets to use the internet gateway to route traffic to Amazon S3.
• B. Set up an S3 VPC gateway endpoint. Update the route table on the subnets to use the gateway endpoint to route traffic to Amazon S3.
• C. Set up additional NAT gateways in each Availability Zone. Update the route table on the subnets to use the NAT gateways to route traffic to Amazon S3.
• D. Set up an egress-only internet gateway. Update the route table on the subnets to use the egress-only internet gateway to route traffic to Amazon S3.

Correct answer: C

Explanation

Deploying additional NAT gateways across each Availability Zone and updating the subnet route tables allows the system to securely route traffic to Amazon S3 while removing general internet access. This configuration ensures high availability for the S3 traffic without exposing the subnets to the public internet. Other solutions like internet gateways or egress-only internet gateways do not meet the security requirement of removing general internet access.