Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 91 discussion

Gateway endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. It should be option A. https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html

***CORRECT*** The correct solution is Option A (Configure an S3 gateway endpoint.) A gateway endpoint is a VPC endpoint that you can use to connect to Amazon S3 from within your VPC. Traffic between your VPC and Amazon S3 never leaves the Amazon network, so it doesn't traverse the internet. This means you can access Amazon S3 without the need to use a NAT gateway or a VPN connection. ***WRONG*** Option B (creating an S3 bucket in a private subnet) is not a valid solution because S3 buckets do not have subnets. Option C (creating an S3 bucket in the same AWS Region as the EC2 instances) is not a requirement for meeting the given security regulations. Option D (configuring a NAT gateway in the same subnet as the EC2 instances) is not a valid solution because it would allow traffic to leave the VPC and travel across the Internet.

Ans A - S3 gateway endpoint: dedicated end-end and private

A is the correct answer

it's definitely A

A. Configure an S3 gateway endpoint. Correct: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC. Additional you need to configure the route table for the subnet that EC2 stays, but we have the key word here. B. Create an S3 bucket in a private subnet. I am not aware that we can create S3 bucket in certain subnet. C. Create an S3 bucket in the same AWS Region as the EC2 instances. Not enough. Without VPC gateway endpoint, access will through go out to the internet. D. Configure a NAT gateway in the same subnet as the EC2 instances. NAT gateway outbound traffic should also go out to the internet.

You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3. There is no additional charge for using gateway endpoints. Amazon S3 supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

EC2 to S3 without public interne = S3 gatewat B: Cannot be implemented C: Even if you create EC2 and S3 in same region, without a S3 gateway it will use the public internet D: Makes no sense, NAT gateway in the subnet as EC2 instance to do what?

A gateway endpoint is a VPC endpoint that you can use to connect to Amazon S3 from within your VPC. Traffic between your VPC and Amazon S3 never leaves the Amazon network, so it doesn't traverse the internet. This means you can access Amazon S3 without the need to use a NAT gateway or a VPN connection

Answer "A" is correct because an endpoint create a way for the data to travel in the VPC

Prevent traffic from traversing the internet = Gateway VPC endpoint for S3.

Configure an S3 gateway endpoint

https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html

B. Creating an S3 in a private subnet restricts direct internet access to the bucket but does not provide a direct and secure connection between the EC2and the S3. The application would still need to traverse the internet to access the S3 API. C. Creating an S3 in the same Region as the EC2 does not inherently prevent traffic from traversing the internet. D. Configuring a NAT gateway allows outbound internet connectivity for resources in private subnets, but it does not provide a direct and secure connection to the S3 service. The traffic from the EC2 to the S3 API would still traverse the internet. The most suitable solution is to configure an S3 gateway endpoint (option A). It provides a secure and private connection between the VPC and the S3 service without requiring the traffic to traverse the internet. With an S3 gateway endpoint, the EC2 can access the S3 API directly within the VPC, meeting the security requirement of preventing traffic from traveling across the internet.

Configure an S3 gateway endpoint is answer.

S3 Gateway Endpoint is a VPC endpoint,

https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html