Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 208 discussion

I think answer should be A and not B. as we cannot "Attach a security groups to a gateway endpoint."

The correct solution to meet the requirements is Option B. A gateway VPC endpoint for Amazon S3 should be created in the Availability Zone where the EC2 instance is located. This will allow the EC2 instance to access the S3 bucket directly, without routing through the public internet. The endpoint should also be configured with appropriate security groups to allow access to the S3 bucket. Additionally, a resource policy should be attached to the S3 bucket to only allow the EC2 instance's IAM role for access.

gateway endpoint does not have any SG.

A VPC gateway endpoint is primarily used for accessing specific AWS services like Amazon S3 and DynamoDB privately within your VPC by specifying a route in your route table, while a VPC interface endpoint offers more flexible connectivity to a wider range of AWS services through AWS PrivateLink, allowing access from both within your VPC and from other VPCs using peering or Transit Gateways, typically with a dedicated private IP address within your VPC network; essentially, gateway endpoints are simpler and often free, while interface endpoints provide greater control and may incur additional costs depending on usage. Gateway endpoints are ideal for simple private access to S3 and DynamoDB, while interface endpoints are better suited for more complex scenarios where you need to access various AWS services from different VPCs or on-premises networks.

Even though Amazon S3 typically uses a Gateway VPC Endpoint, AWS now provides Interface VPC Endpoints for Amazon S3 as well via AWS PrivateLink....and "Attach a security groups to a gateway endpoint." makes the option B - false

B will be correct if removing the "Attach appropriate security group to the endpoint" and gateway point is free of charge.

Option A uses an interface VPC endpoint, which is typically used for services that require a private IP address within your VPC. For S3, a gateway VPC endpoint is more appropriate and cost-effective1

Interface VPC Endpoint: Interface endpoints are generally used for other AWS services and do not provide the same direct access optimization for S3 that gateway endpoints do.

In this context, a Gateway VPC Endpoint is the correct choice for S3, as it provides direct, private access to S3 and routes traffic internally within the AWS networ

Why Option B is Correct: Gateway VPC Endpoint for Amazon S3: S3 does not require an interface endpoint; it uses a gateway VPC endpoint. Gateway endpoints ensure that requests stay within the AWS network, meeting the requirement of no public internet routes. Resource Policy: Attaching a bucket policy ensures that only the EC2 instance's IAM role has access to the bucket. Appropriate Security Controls: The gateway endpoint can be secured further using policies and security group configurations.

It is A. Gateway endpoint route table. Interface endpoint uses security groups and private link. See aws video https://youtu.be/TqApkvJx5hw?si=9Gpk3V7OcPU6MVJI

gateway VPC endpoint is used for connect from VPC to S3 and DynamoDB

You might initially lean toward Option B since a gateway endpoint is generally the preferred solution for EC2 instances in the same region. It’s cost-effective (free), performance-optimized, and simpler to configure. However, for the exam, technical precision in details is crucial. Option B is incorrect because: Gateway VPC endpoints are created at the VPC level, not at the Availability Zone level. Security groups must be attached to the EC2 instance (the source service) to allow outbound traffic using the prefix list associated with the gateway endpoint. Due to these reasons, Option A is the correct answer. While not ideal in real-world scenarios for EC2 instances in the same region, it is technically accurate and satisfies the exam's requirements.

correct ans is B

you cannot attach a security group to a gateway VPC endpoint. Security groups can only be attached to interface VPC endpoints-- so option B is wrong Option A won’t work because an interface VPC endpoint for Amazon S3 is not supported. Amazon S3 only supports gateway VPC endpoints. Interface VPC endpoints are used for services that are powered by AWS PrivateLink, which is not applicable to S3. There is something wrong with options provided

B have "Attach appropriate security groups to the endpoint" Gateway Endpoints: Provisions a gateway and must be used as a target in a route table (does not use security groups) so B is incorrect and A is correct$

B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.