A company is building a machine learning pipeline. Data scientists need to access sensitive datasets stored in Amazon S3. The security team requires that the data scientists' access to S3 must not traverse the public internet. The data scientists use Amazon SageMaker notebook instances deployed in a private VPC subnet. How should the architect secure the S3 access?

Answer options:

A.

Deploy a NAT Gateway in a public subnet and route S3 traffic through it.

B.

Create a Gateway VPC Endpoint for Amazon S3 in the VPC and update the route tables.

C.

Establish an AWS Direct Connect connection to access S3.

D.

Use AWS VPN to encrypt the traffic between the VPC and S3.

How to approach this question

Identify the service that provides private connectivity to S3.

Full Answer

B.Create a Gateway VPC Endpoint for Amazon S3 in the VPC and update the route tables.✓ Correct

A Gateway VPC Endpoint allows instances in a private subnet to access Amazon S3 without requiring a public IP address or NAT device. The traffic remains on the AWS global network.

Common mistakes

Thinking a NAT Gateway keeps traffic off the internet.

Question 31 All questions Question 33

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts a...Hard Q02A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connec...Hard Q03An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amaz...Medium Q04A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted usi...Easy Q05An enterprise is designing a disaster recovery strategy for a critical application running on Ama...Hard

View all 75 questions →