ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 208 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 208
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

  • A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Nigma at Nov. 28, 2022, 3:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SSASSWS
Highly Voted 2 years ago
Selected Answer: A
I think answer should be A and not B. as we cannot "Attach a security groups to a gateway endpoint."
upvoted 38 times
A_New_Guy
2 years ago
It's possible: https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
upvoted 4 times
kruasan
1 year, 7 months ago
No, it’s not
upvoted 3 times
smartegnine
1 year, 6 months ago
Create a security group that allows the resources in your VPC to communicate with the endpoint network interfaces for the VPC endpoint. To ensure that tools such as the AWS CLI can make requests over HTTPS from resources in the VPC to the AWS service, the security group must allow inbound HTTPS traffic. For Security groups, select the security groups to associate with the endpoint network interfaces for the VPC endpoint. By default, we associate the default security group for the VPC.
upvoted 2 times
slackbot
1 year, 4 months ago
this is valid for interface endpoint, not for gateway endpoint, which option B mentioned
upvoted 3 times
...
...
markw92
1 year, 6 months ago
Gateway endpoint must be used as a target in a route table does not use security groups.
upvoted 7 times
...
Load full discussion...
...
Iconique
1 year, 2 months ago
Go to console and test it yourself! With Interface Endpoint you can add security groups.
upvoted 2 times
elmyth
1 month, 3 weeks ago
interface VPC endpoint is A))))
upvoted 2 times
...
...
...
...
Buruguduystunstugudunstuy
Highly Voted 2 years ago
Selected Answer: B
The correct solution to meet the requirements is Option B. A gateway VPC endpoint for Amazon S3 should be created in the Availability Zone where the EC2 instance is located. This will allow the EC2 instance to access the S3 bucket directly, without routing through the public internet. The endpoint should also be configured with appropriate security groups to allow access to the S3 bucket. Additionally, a resource policy should be attached to the S3 bucket to only allow the EC2 instance's IAM role for access.
upvoted 35 times
JA2018
1 month ago
check this out: https://www.examtopics.com/discussions/amazon/view/83857-exam-aws-certified-solutions-architect-associate-saa-c02/ Selected answer: B So which is the correct answer?!!!!
upvoted 1 times
...
Buruguduystunstugudunstuy
2 years ago
Option A is incorrect because an interface VPC endpoint for Amazon S3 would not provide a direct connection between the EC2 instance and the S3 bucket. Option C is incorrect because using the nslookup tool to obtain the private IP address of the S3 bucket's service API endpoint would not provide a secure connection between the EC2 instance and the S3 bucket. Option D is incorrect because using the ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint is not a secure method to connect the EC2 instance to the S3 bucket.
upvoted 4 times
ChrisG1454
1 year, 10 months ago
There are two types VPC Endpoint: Gateway endpoint Interface endpoint A Gateway endpoint: 1) Helps you to securely connect to Amazon S3 and DynamoDB 2) Endpoint serves as a target in your route table for traffic 3) Provide access to endpoint (endpoint, identity and resource policies) An Interface endpoint: 1) Help you to securely connect to AWS services EXCEPT FOR Amazon S3 and DynamoDB 2) Powered by PrivateLink (keeps network traffic within AWS network) 3) Needs a elastic network interface (ENI) (entry point for traffic)
upvoted 34 times
slackbot
1 year, 4 months ago
interface endpoint exists for S3 as well
upvoted 9 times
...
...
mhmt4438
1 year, 11 months ago
An interface VPC endpoint does provide a direct connection between the EC2 instance and the S3 bucket. It enables private communication between instances in your VPC and resources in other services without requiring an internet gateway, a NAT device, or a VPN connection. Option A , which recommends creating an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located and attaching a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access, is the correct solution for the given scenario. It meets the requirement to ensure that no API calls and no data are routed through public internet routes and that only the EC2 instance can have access to upload data to the S3 bucket.
upvoted 7 times
Omok
1 year, 10 months ago
In support, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
upvoted 8 times
...
...
...
...
dipenich
Most Recent 6 days, 8 hours ago
Selected Answer: B
Why Option B is Correct: Gateway VPC Endpoint for Amazon S3: S3 does not require an interface endpoint; it uses a gateway VPC endpoint. Gateway endpoints ensure that requests stay within the AWS network, meeting the requirement of no public internet routes. Resource Policy: Attaching a bucket policy ensures that only the EC2 instance's IAM role has access to the bucket. Appropriate Security Controls: The gateway endpoint can be secured further using policies and security group configurations.
upvoted 1 times
...
ARV14
1 week, 3 days ago
Selected Answer: A
It is A. Gateway endpoint route table. Interface endpoint uses security groups and private link. See aws video https://youtu.be/TqApkvJx5hw?si=9Gpk3V7OcPU6MVJI
upvoted 1 times
...
SteveNguyen
1 week, 6 days ago
Selected Answer: B
gateway VPC endpoint is used for connect from VPC to S3 and DynamoDB
upvoted 1 times
...
FlyingHawk
3 weeks, 6 days ago
Selected Answer: A
You might initially lean toward Option B since a gateway endpoint is generally the preferred solution for EC2 instances in the same region. It’s cost-effective (free), performance-optimized, and simpler to configure. However, for the exam, technical precision in details is crucial. Option B is incorrect because: Gateway VPC endpoints are created at the VPC level, not at the Availability Zone level. Security groups must be attached to the EC2 instance (the source service) to allow outbound traffic using the prefix list associated with the gateway endpoint. Due to these reasons, Option A is the correct answer. While not ideal in real-world scenarios for EC2 instances in the same region, it is technically accurate and satisfies the exam's requirements.
upvoted 2 times
...
Garryg
1 month ago
Selected Answer: B
correct ans is B
upvoted 1 times
...
jayessh
1 month, 1 week ago
you cannot attach a security group to a gateway VPC endpoint. Security groups can only be attached to interface VPC endpoints-- so option B is wrong Option A won’t work because an interface VPC endpoint for Amazon S3 is not supported. Amazon S3 only supports gateway VPC endpoints. Interface VPC endpoints are used for services that are powered by AWS PrivateLink, which is not applicable to S3. There is something wrong with options provided
upvoted 2 times
JA2018
1 month ago
https://www.examtopics.com/discussions/amazon/view/83857-exam-aws-certified-solutions-architect-associate-saa-c02/
upvoted 1 times
...
...
MALEK00
1 month, 2 weeks ago
B have "Attach appropriate security groups to the endpoint" Gateway Endpoints: Provisions a gateway and must be used as a target in a route table (does not use security groups) so B is incorrect and A is correct$
upvoted 2 times
...
Mish
1 month, 2 weeks ago
Selected Answer: B
B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
upvoted 1 times
...
Cmtan
2 months, 4 weeks ago
Selected Answer: A
Gateway endpoint for S3 Use Amazon S3 public IP addresses, while interface endpoint use private IP addresses from your VPC to access Amazon S3. As mentioned, no traffic is allowed through the public route, so ANS is A
upvoted 1 times
...
bignatov
3 months ago
Selected Answer: A
I vote for A, because there is no option to attach security group for gateway vpc endpoint. Apart from that in most cases gateway endpoint is preferable for S3, but this little detail about the security group changes my answer for A. Gateway endpoints uses routing tables instead security groups.
upvoted 1 times
...
OlehKom
3 months, 3 weeks ago
Selected Answer: B
Interface VPC endpoints are more suited for services that require private connectivity via a network interface. For S3, a Gateway VPC Endpoint is more appropriate and cost-effective since it integrates at the route table level without requiring additional cost per endpoint.
upvoted 2 times
...
SamDevNation
4 months ago
Selected Answer: A
its A, private equals interfsce. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
upvoted 1 times
...
AWS_Debu
4 months, 3 weeks ago
Answer Should be B. You can attached security group with VPC endpoint. This is not the point. For S3 you need to create gateway VPC endpoint not interface VPC endpoint.
upvoted 2 times
...
tom_cruise
4 months, 3 weeks ago
Gateway endpoints do not enable AWS PrivateLink. So the answer is A.
upvoted 1 times
...
sonlduet
4 months, 3 weeks ago
It's definitely A, B is wrong because we configure route table for Gateway VPC Endpoint, not security group or subnet
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago