Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 208 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 208
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

  • A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Nigma at Nov. 28, 2022, 3:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
SSASSWS
Highly Voted 1 year, 7 months ago
Selected Answer: A
I think answer should be A and not B. as we cannot "Attach a security groups to a gateway endpoint."
upvoted 35 times
A_New_Guy
1 year, 6 months ago
It's possible: https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
upvoted 4 times
kruasan
1 year, 2 months ago
No, it’s not
upvoted 3 times
smartegnine
1 year, 1 month ago
Create a security group that allows the resources in your VPC to communicate with the endpoint network interfaces for the VPC endpoint. To ensure that tools such as the AWS CLI can make requests over HTTPS from resources in the VPC to the AWS service, the security group must allow inbound HTTPS traffic. For Security groups, select the security groups to associate with the endpoint network interfaces for the VPC endpoint. By default, we associate the default security group for the VPC.
upvoted 1 times
slackbot
10 months, 2 weeks ago
this is valid for interface endpoint, not for gateway endpoint, which option B mentioned
upvoted 2 times
...
...
markw92
1 year ago
Gateway endpoint must be used as a target in a route table does not use security groups.
upvoted 5 times
...
Load full discussion...
...
Iconique
9 months, 1 week ago
Go to console and test it yourself! With Interface Endpoint you can add security groups.
upvoted 2 times
...
...
...
Buruguduystunstugudunstuy
Highly Voted 1 year, 6 months ago
Selected Answer: B
The correct solution to meet the requirements is Option B. A gateway VPC endpoint for Amazon S3 should be created in the Availability Zone where the EC2 instance is located. This will allow the EC2 instance to access the S3 bucket directly, without routing through the public internet. The endpoint should also be configured with appropriate security groups to allow access to the S3 bucket. Additionally, a resource policy should be attached to the S3 bucket to only allow the EC2 instance's IAM role for access.
upvoted 33 times
Buruguduystunstugudunstuy
1 year, 6 months ago
Option A is incorrect because an interface VPC endpoint for Amazon S3 would not provide a direct connection between the EC2 instance and the S3 bucket. Option C is incorrect because using the nslookup tool to obtain the private IP address of the S3 bucket's service API endpoint would not provide a secure connection between the EC2 instance and the S3 bucket. Option D is incorrect because using the ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint is not a secure method to connect the EC2 instance to the S3 bucket.
upvoted 3 times
mhmt4438
1 year, 6 months ago
An interface VPC endpoint does provide a direct connection between the EC2 instance and the S3 bucket. It enables private communication between instances in your VPC and resources in other services without requiring an internet gateway, a NAT device, or a VPN connection. Option A , which recommends creating an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located and attaching a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access, is the correct solution for the given scenario. It meets the requirement to ensure that no API calls and no data are routed through public internet routes and that only the EC2 instance can have access to upload data to the S3 bucket.
upvoted 6 times
Omok
1 year, 5 months ago
In support, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
upvoted 6 times
...
...
ChrisG1454
1 year, 4 months ago
There are two types VPC Endpoint: Gateway endpoint Interface endpoint A Gateway endpoint: 1) Helps you to securely connect to Amazon S3 and DynamoDB 2) Endpoint serves as a target in your route table for traffic 3) Provide access to endpoint (endpoint, identity and resource policies) An Interface endpoint: 1) Help you to securely connect to AWS services EXCEPT FOR Amazon S3 and DynamoDB 2) Powered by PrivateLink (keeps network traffic within AWS network) 3) Needs a elastic network interface (ENI) (entry point for traffic)
upvoted 31 times
slackbot
10 months, 2 weeks ago
interface endpoint exists for S3 as well
upvoted 6 times
...
...
...
...
ChymKuBoy
Most Recent 1 week, 2 days ago
Selected Answer: A
A for sure
upvoted 1 times
...
a7md0
1 week, 6 days ago
Selected Answer: B
DynamoDB & S3 uses Gateway VPC endpoint (not interface)
upvoted 2 times
...
Duckydoo
2 weeks, 5 days ago
Selected Answer: A
You associate a gateway endpoint with a VPC and its subnets (so the prefix list can be added to the appropriate routing tables). You cannot specify an AZ or associate an SG when creating a gateway endpoint.
upvoted 1 times
...
Rhydian25
3 weeks, 3 days ago
Selected Answer: A
It must be Interface VPC endpoint. As the Gateway VPC endpoint requires a S3 pubilc IP address to work: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html If the bucket has a public IP address, it means the bucket is publicy accessible, which is not the case here.
upvoted 1 times
...
rohitph
4 weeks ago
Selected Answer: A
we cannot "Attach a security groups to a gateway endpoint."
upvoted 2 times
...
lofzee
1 month, 1 week ago
im almost certain that the answers in this question are written slightly wrong. there is no reason (based on the question), for you to select A. Only EC2 needs access to S3, 99% of the time you'd use a gateway endpoint. Reasons you might use an interface endpoint are: - requirement of on-premise access to S3 - requirement of access from another VPC in another region using peering or transit gateway - requirement of using specific endpoint S3 DNS names - use of private IPs from your VPC to access S3 based on the above, i believe the answer to be B, its just written incorrectly with the addition of the security groups part.
upvoted 1 times
...
ManikRoy
2 months ago
Selected Answer: A
Option A as security group is not applicable for Gateway end point.
upvoted 1 times
...
Solomon2001
2 months ago
Selected Answer: A
Explanation: Option A: Interface VPC endpoint for Amazon S3 ensures that the data transfer between the EC2 instance and the S3 bucket stays within the AWS network, avoiding the public internet. By attaching a resource policy to the S3 bucket to only allow access from the EC2 instance's IAM role, you ensure that only the EC2 instance can upload data to the S3 bucket. Option B: Gateway VPC endpoint for Amazon S3 doesn't ensure that the data transfer stays within the AWS network; it can still use the public internet. Although you can attach security groups to the endpoint, it doesn't guarantee that the data transfer won't use public internet routes.
upvoted 1 times
...
7ce90e0
2 months, 1 week ago
Selected Answer: B
B. Interface endpoints are for private link and require ip address. gateway endpoints are for internal services and don't need ip address. https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html
upvoted 2 times
...
MehulKapadia
2 months, 3 weeks ago
Selected Answer: A
Option B is confusing but not after you see the fine-print. - User cannot create Gateway endpoint in any specific Availability Zone, User only specify under which VPC it needs to be created. - User do not select/attach security group to Gateway Endpoint, as this gateway only works be adding destination prefix list(S3) to gateway endpoint route. Correct Answer: A
upvoted 2 times
...
NishantM
3 months ago
Answer B What is VPC gateway endpoint Consider a scenario where you have to access S3 from your EC2 instance in a public subnet. As the subnet has an internet gateway attached, the traffic to S3 will go through the public internet. However, the problem arises if your instance is in a private subnet and does not have any NAT gateway/instance attached or you cannot afford charges of NAT gateway. Currently, AWS S3 and DynamoDB are the only services supported by gateway endpoints. Using Gateway endpoints does not incur any data processing or hourly charges.
upvoted 1 times
...
scar0909
3 months, 4 weeks ago
Selected Answer: B
vpc gateway endpoint
upvoted 1 times
...
TheFivePips
4 months, 1 week ago
Selected Answer: A
I used to think that gatway endpoints were only for s3 and dynamodb, but I guess thats not the whole story. S3 can use interface endpoints, and they are privately routed. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
upvoted 1 times
...
frmrkc
5 months ago
Selected Answer: A
Option B is wrong: - you cannot attach security groups to gateway VPC endpoint - you cannot create gateway VPC endpoint in the Availability Zone
upvoted 2 times
...
thewalker
5 months, 1 week ago
Selected Answer: B
The main difference between an interface VPC endpoint and a gateway VPC endpoint is how traffic is routed to AWS services outside the VPC: Interface VPC Endpoint: Uses an Elastic Network Interface (ENI) within your VPC subnets to allow communication between your VPC and AWS services. When you create an interface endpoint, a private IP address is assigned to the ENI that acts as the entry point for traffic destined to the AWS service. DNS queries for the service are routed to the private IP address of the ENI, avoiding the public internet.
upvoted 1 times
thewalker
5 months, 1 week ago
Gateway VPC Endpoint: Adds an entry in your VPC route table that defines the service as a valid destination and routes traffic to it. Traffic destined for the service leaves your VPC and travels across the AWS global network to the service. Gateway endpoints currently only support S3 and DynamoDB. Interface endpoints support many more AWS services. Some key points to consider when choosing an endpoint type include availability of the service, need for cross-region access, and whether traffic needs to flow from on-premises.
upvoted 2 times
...
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in

Claim Offer Now
286 people claimed it in the last 6 hours