Exam AWS Certified Solutions Architect - Professional topic 1 question 873 discussion

C is the answer, you need an interface gateway. S3 access through gateway endpoints is supported only for resources in a specific VPC to which the endpoint is associated. S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

I believe should be A, https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

A - I would have to try it out. I don't think it would work. B - Its marked as the correct answer. I am not sure why, but the correct answer is almost always wrong. C- This seems crazy and over kill, but it should work.

A) and here's the reasoning: * Cross-Region VPC Peering: This allows the instances in VPC B to communicate with resources in VPC A, which includes the gateway VPC endpoint for S3. * Using the Gateway VPC Endpoint: The S3 gateway endpoint in VPC A enables secure access to S3 without the need for public internet access, which aligns with the requirement that the S3 bucket should not be publicly accessible. * Bucket Policy: Since the bucket policy allows traffic only from the VPC A endpoint, the cross-region peering allows the EC2 instances in VPC B to utilize the endpoint from VPC A for accessing S3. * Other options either involve creating unnecessary resources (like an additional VPC or VPN connections) or do not align with the requirements of accessing the S3 bucket securely from a different region without making it public.

https://repost.aws/knowledge-center/vpc-endpoints-cross-region-aws-services need peering and update route table with endpoint

A is easy

S3 is a global resource. So you can access an S3 Bucket from any regional access point. Gateway access Points on the other hand are regional. Ultimatelely it is routing S3 requests to the regional access point. Works. C is a little cumbersome for S3 access but - depending on how I choose to interpret the implementation details - might work. But: for one if I want an interface entpoint, I would simply create S3 endpoint and secondly the question explicitely states that an s3 gatway endpoint has to be used. C are interface endpoints to services and not gateway endpoints.

It is B https://repost.aws/knowledge-center/connect-s3-vpc-endpoint

Must be c by process of elimination

Option B is the right answer It's important to note that cross-region VPC peering is supported between VPCs in different accounts and different regions but it is not currently supported between VPCs in different regions within the same account. Also, to use VPC endpoints to access S3 resources across regions, you will need to create a VPC endpoint for each S3 region that you want to access.

A-> Resources on the other side of a VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC can not use a S3 gateway endpoint to communicate with Amazon S3. B-> It's not possible. "A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html so I'll go with C

Its A because https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

D seems overkill A doesn't seem like it's going to work B also won't work Answer must be C: Gateway VPC endpoint is VPC specific and allows access to resources in that region only. "A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets." "Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

A https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

Answer is B IMHO - you can write to an S3 bucket from anywhere, and a Gateway Endpoint in VPC B is to the S3 service in that region. Yes there is more latency. As long as I can communicate to S3 service and have some sort of auth, I can write to a bucket anywhere.

Neither A nor B are correct. This is because they both use S3 "gateway" endpoints. Gateway endpoints cannot be used outside of its own VPC, and they also cannot reference S3 buckets in another Region. Answer C is correct. For answer C, it has both relevant and non-relevant information in it. The relevant part for accessing the S3 bucket from both Regions is: "Create a third VPC (VPC C) in ca-central-1. Create a cross-Region VPC peering connection between VPC C and VPC B in us-east-1. Use the interface VPC endpoint created with PrivateLink in VPC C to call the services." An interface VPC endpoint is a newer offering (for S3 can be accessed across a cross-Region VPC peering connection. The rest of the answer isn't relevant as it speaks to what you can do for accessing the application. https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/