Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 208 discussion

I think answer should be A and not B. as we cannot "Attach a security groups to a gateway endpoint."

The correct solution to meet the requirements is Option B. A gateway VPC endpoint for Amazon S3 should be created in the Availability Zone where the EC2 instance is located. This will allow the EC2 instance to access the S3 bucket directly, without routing through the public internet. The endpoint should also be configured with appropriate security groups to allow access to the S3 bucket. Additionally, a resource policy should be attached to the S3 bucket to only allow the EC2 instance's IAM role for access.

B will be correct if removing the "Attach appropriate security group to the endpoint" and gateway point is free of charge.

Option A uses an interface VPC endpoint, which is typically used for services that require a private IP address within your VPC. For S3, a gateway VPC endpoint is more appropriate and cost-effective1

Interface VPC Endpoint: Interface endpoints are generally used for other AWS services and do not provide the same direct access optimization for S3 that gateway endpoints do.

In this context, a Gateway VPC Endpoint is the correct choice for S3, as it provides direct, private access to S3 and routes traffic internally within the AWS networ

Why Option B is Correct: Gateway VPC Endpoint for Amazon S3: S3 does not require an interface endpoint; it uses a gateway VPC endpoint. Gateway endpoints ensure that requests stay within the AWS network, meeting the requirement of no public internet routes. Resource Policy: Attaching a bucket policy ensures that only the EC2 instance's IAM role has access to the bucket. Appropriate Security Controls: The gateway endpoint can be secured further using policies and security group configurations.

It is A. Gateway endpoint route table. Interface endpoint uses security groups and private link. See aws video https://youtu.be/TqApkvJx5hw?si=9Gpk3V7OcPU6MVJI

gateway VPC endpoint is used for connect from VPC to S3 and DynamoDB

You might initially lean toward Option B since a gateway endpoint is generally the preferred solution for EC2 instances in the same region. It’s cost-effective (free), performance-optimized, and simpler to configure. However, for the exam, technical precision in details is crucial. Option B is incorrect because: Gateway VPC endpoints are created at the VPC level, not at the Availability Zone level. Security groups must be attached to the EC2 instance (the source service) to allow outbound traffic using the prefix list associated with the gateway endpoint. Due to these reasons, Option A is the correct answer. While not ideal in real-world scenarios for EC2 instances in the same region, it is technically accurate and satisfies the exam's requirements.

correct ans is B

you cannot attach a security group to a gateway VPC endpoint. Security groups can only be attached to interface VPC endpoints-- so option B is wrong Option A won’t work because an interface VPC endpoint for Amazon S3 is not supported. Amazon S3 only supports gateway VPC endpoints. Interface VPC endpoints are used for services that are powered by AWS PrivateLink, which is not applicable to S3. There is something wrong with options provided

B have "Attach appropriate security groups to the endpoint" Gateway Endpoints: Provisions a gateway and must be used as a target in a route table (does not use security groups) so B is incorrect and A is correct$

B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.

Gateway endpoint for S3 Use Amazon S3 public IP addresses, while interface endpoint use private IP addresses from your VPC to access Amazon S3. As mentioned, no traffic is allowed through the public route, so ANS is A

I vote for A, because there is no option to attach security group for gateway vpc endpoint. Apart from that in most cases gateway endpoint is preferable for S3, but this little detail about the security group changes my answer for A. Gateway endpoints uses routing tables instead security groups.

Interface VPC endpoints are more suited for services that require private connectivity via a network interface. For S3, a Gateway VPC Endpoint is more appropriate and cost-effective since it integrates at the route table level without requiring additional cost per endpoint.