Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 70 discussion

Technically both B and C are possible, but with B encryption is enforced. You can prevent unencrypted S3 actions via bucket policies, but not mentioned in the question, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-HTTP-HTTPS In this case interface vpc endpoint for S3 is also correct, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html > "You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (by using AWS PrivateLink). A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway." But in this context I would go for B:

both B and C are correct. Option B involves double encryption which is more secure but it's not explicitly defined in requirement that it would be required.

C is the best answer for this question to meet all the company's requirements.

Option B (IPsec VPN over Transit VIF): Although this option includes a VPN, it adds unnecessary complexity. A direct interface VPC endpoint for S3, as in Option C, is a more straightforward and secure solution that avoids public internet use and encryption concerns.

Because it introduces an additional VPN connection, which is unnecessary if you already have Direct Connect

Both B and C meet the required objective. B provides double encryption BUT it is not end to end, before Customer Gateway (on-prem server to on-prem router) and After TGW (TGW to VPC S3 Endpoint), the data is being carried as HTTPS. So VPN is just adding double encryption for partial route not end to end. In that case it is not much better than C.

Both B and C are possible solution, but C is not mentioning about routing configuration on TGW or etc. and you can make IPsec VPN over transit VIF https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway-vpn.html

C is not possible since S3 itself cannot terminate TLS (HTTPS) connection

The request is to avoid transporting data over the Internet (DX would ensure that), and use in-transit encryption (HTTPS will do that). That being said, I see no point to create IPSEC VPN over DX connection, as long as Amazon S3 supports both interface endpoints (along with gateway endpoints ofc), and can reach S3 interface endpoint through DX connection and configure it (via IAM policy) to only used HTTPS. Option C is correct. Fulfilling, and without IPSEC VPN config. Had option C worded "S3 gateway endpoint" instead of "S3 interface endpoint", it would be wrong. As it is, it is just fine.

Using HTTPS allows us to fulfil the end to end encryption without needing a VPN. Using Interface endpoints to S3 allows us an HTTPS API to S3 that stays in AWS private network. Thus we didn't need a VPN thus the correct answer is C.

C is enough, even VPN can established over transit VIF. End-end encryption is guaranteed by https, double encryption is not required, and site-site vpn is not end-to-end encryption of data in transit.

For those wondering how answer B will look like, please refer to the URL below. Ref: https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/traffic-encryption-options-direct-connect-ra.pdf All the best.

I think (A) is the correct answer. Public VIF doesn't mean the traffic will flow through the public Internet. It'll reach AWS services through Public IP.

Agree B) will be the most suitable option here. Just for knowledge & clarity purposes, was curious to understand why Option A) got ruled out here.

create vpc endpoint and use IPSec VPN

Explanation: To meet the requirements of encrypting the data in transit and avoiding public internet, you can create an IPsec VPN connection over the transit VIF. Then, create a VPC and attach it to the transit gateway. Inside the VPC, you can provision an interface VPC endpoint (also known as a PrivateLink) for Amazon S3, which allows secure communication to Amazon S3 over the AWS network. Using HTTPS for communication ensures that the data remains encrypted in transit.

VPN can be over Transit VIF: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway-vpn.html