A company is deploying a fleet of EC2 instances in a private subnet. The instances need to access Amazon S3 to download configuration files. The security policy strictly prohibits traffic from traversing the public internet. What is the MOST secure way to provide this access?

Answer options:

Deploy a NAT Gateway in a public subnet.

Create a VPC Gateway Endpoint for Amazon S3 and update the route table.

Set up an AWS Direct Connect connection to S3.

Use an Internet Gateway and restrict access using Security Groups.

How to approach this question

Identify the requirement to avoid the public internet. VPC Endpoints (Gateway for S3/DynamoDB) keep traffic on the AWS backbone.

Full Answer

B.Create a VPC Gateway Endpoint for Amazon S3 and update the route table.✓ Correct

A VPC endpoint enables private connections between your VPC and supported AWS services. Traffic between your VPC and the other service does not leave the Amazon network.

Common mistakes

Choosing NAT Gateway, which technically works but violates the 'no public internet' constraint.

Question 11 All questions Question 13

Practice the full AWS SAA-C03 Practice Exam 7

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...Medium Q02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...Easy Q03A company wants to implement federated access to the AWS Management Console for its employees usi...Medium Q04A company is building a mobile application that requires users to sign in using their social medi...Easy Q05A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. H...Medium

View all 65 questions →