Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 667 discussion

Ans is C: >>You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3. There is no additional charge for using gateway endpoints. Amazon S3 supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

Gateway Endpoint -> only within same VPC Interface Endpoint -> On-premises (VPN or Direct Connect), or different Region over VPC peering.

VPC has access to S3 through gateway endpoint or interface endpoint. Gateway is better. If we have Direct connect to VPC from on-premises network we get access to S3.

Please C

Gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html With AWS PrivateLink for Amazon S3, you can provision interface VPC endpoints (interface endpoints) in your virtual private cloud (VPC). These endpoints are directly accessible from applications that are on premises over VPN and AWS Direct Connect, or in a different AWS Region over VPC peering.

Not A, Gateway endpoint can be accessed only from inside the VPC it's in Not B, Transit Gateway alone won't help Not D, KMS has nothing to do with this

Answer seems to be C gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide.

gateway endpoint uses public ip address even if traffic does not directly route thru the internet, also they are no meant to be used from on-premises. Answer is C

Options A, B, and D are not the most suitable for the following reasons: A. Create gateway endpoints for Amazon S3: Gateway endpoints are used for accessing S3 from within a VPC, but they do not extend connectivity to on-premises locations. B. Create a gateway in AWS Transit Gateway: AWS Transit Gateway is designed for routing traffic between VPCs and on-premises networks but is not used as a direct gateway for S3 access. D. Use an AWS Key Management Service (AWS KMS) key: AWS KMS is a key management service and does not provide direct access to S3. It's used for managing encryption keys. Therefore, option C, creating interface endpoints for Amazon S3, is the most appropriate solution for securely accessing S3 from both the AWS Region and the on-premises location.

Transit Gateway support inter region. interface gateway not use in S3

GW Endpoint is only for S3 and DynamoDB, interface endpoint for other services so C is wrong

S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/#:~:text=associated.%20S3%20gateway-,endpoints,-do%20not%20currently

C . S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. However, if you’re willing to manage a complex custom architecture, you can use proxies. In all those scenarios, where access is from resources external to VPC, S3 interface endpoints access S3 in a secure way. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

Selected Answer: A https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html Gateway VPC endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. There is no additional charge for using gateway endpoints.

CCCCCC

Amazon VPC interface endpoints enable you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN, or Direct Connect connection. By creating interface endpoints for Amazon S3 in both the AWS Region and the on-premises location, you can securely access data without traversing the internet. Direct Connect Connection: With an AWS Direct Connect connection established between the AWS Region and the on-premises location, the data can flow over the dedicated, private connection rather than going over the public internet.