AWS Certified SysOps Administrator – Associate (legacy) — Question 924

A company is storing monthly reports on Amazon S3. The company's security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet.
What should the SysOps Administrator do to meet this requirement?

Answer options

• A. Use AWS Direct Connect and a public virtual interface to connect to Amazon S3.
• B. Use a managed NAT gateway to connect to Amazon S3.
• C. Deploy a VPC endpoint to connect to Amazon S3.
• D. Deploy an internet gateway to connect to Amazon S3.

Correct answer: C

Explanation

Configuring a VPC endpoint for Amazon S3 enables private connectivity between instances in the VPC and S3 without traversing the public internet. In contrast, deploying an internet gateway or a NAT gateway routes traffic over the public internet, which violates the security policy. AWS Direct Connect with a public VIF is designed for on-premises connectivity rather than keeping internal VPC-to-S3 traffic private.