AWS Certified SysOps Administrator – Associate (legacy) — Question 764

A company's application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company's application and the S3 bucket must never leave the Amazon network.
What AWS feature can provide this functionality?

Answer options

• A. Security groups
• B. NAT gateways
• C. Virtual private gateway
• D. Gateway VPC endpoints

Correct answer: D

Explanation

Gateway VPC endpoints allow private connectivity between a VPC and Amazon S3, keeping all traffic within the AWS network without requiring a public IP address or traversing the public internet. NAT gateways route traffic to the public internet, whereas virtual private gateways connect VPCs to on-premises networks. Security groups act as firewalls to control inbound and outbound traffic at the instance level but do not route traffic privately to S3.