Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 208 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 208
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

  • A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
  • D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket’s service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Nigma at Nov. 28, 2022, 3:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
SSASSWS
Highly Voted 1 year, 11 months ago
Selected Answer: A
I think answer should be A and not B. as we cannot "Attach a security groups to a gateway endpoint."
upvoted 38 times
A_New_Guy
1 year, 11 months ago
It's possible: https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
upvoted 4 times
kruasan
1 year, 6 months ago
No, it’s not
upvoted 3 times
smartegnine
1 year, 5 months ago
Create a security group that allows the resources in your VPC to communicate with the endpoint network interfaces for the VPC endpoint. To ensure that tools such as the AWS CLI can make requests over HTTPS from resources in the VPC to the AWS service, the security group must allow inbound HTTPS traffic. For Security groups, select the security groups to associate with the endpoint network interfaces for the VPC endpoint. By default, we associate the default security group for the VPC.
upvoted 2 times
slackbot
1 year, 2 months ago
this is valid for interface endpoint, not for gateway endpoint, which option B mentioned
upvoted 3 times
...
...
markw92
1 year, 5 months ago
Gateway endpoint must be used as a target in a route table does not use security groups.
upvoted 6 times
...
Load full discussion...
...
Iconique
1 year, 1 month ago
Go to console and test it yourself! With Interface Endpoint you can add security groups.
upvoted 2 times
elmyth
3 weeks ago
interface VPC endpoint is A))))
upvoted 2 times
...
...
...
...
Buruguduystunstugudunstuy
Highly Voted 1 year, 11 months ago
Selected Answer: B
The correct solution to meet the requirements is Option B. A gateway VPC endpoint for Amazon S3 should be created in the Availability Zone where the EC2 instance is located. This will allow the EC2 instance to access the S3 bucket directly, without routing through the public internet. The endpoint should also be configured with appropriate security groups to allow access to the S3 bucket. Additionally, a resource policy should be attached to the S3 bucket to only allow the EC2 instance's IAM role for access.
upvoted 35 times
JA2018
2 days, 18 hours ago
check this out: https://www.examtopics.com/discussions/amazon/view/83857-exam-aws-certified-solutions-architect-associate-saa-c02/ Selected answer: B So which is the correct answer?!!!!
upvoted 1 times
...
Buruguduystunstugudunstuy
1 year, 11 months ago
Option A is incorrect because an interface VPC endpoint for Amazon S3 would not provide a direct connection between the EC2 instance and the S3 bucket. Option C is incorrect because using the nslookup tool to obtain the private IP address of the S3 bucket's service API endpoint would not provide a secure connection between the EC2 instance and the S3 bucket. Option D is incorrect because using the ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint is not a secure method to connect the EC2 instance to the S3 bucket.
upvoted 4 times
ChrisG1454
1 year, 9 months ago
There are two types VPC Endpoint: Gateway endpoint Interface endpoint A Gateway endpoint: 1) Helps you to securely connect to Amazon S3 and DynamoDB 2) Endpoint serves as a target in your route table for traffic 3) Provide access to endpoint (endpoint, identity and resource policies) An Interface endpoint: 1) Help you to securely connect to AWS services EXCEPT FOR Amazon S3 and DynamoDB 2) Powered by PrivateLink (keeps network traffic within AWS network) 3) Needs a elastic network interface (ENI) (entry point for traffic)
upvoted 34 times
slackbot
1 year, 2 months ago
interface endpoint exists for S3 as well
upvoted 9 times
...
...
mhmt4438
1 year, 10 months ago
An interface VPC endpoint does provide a direct connection between the EC2 instance and the S3 bucket. It enables private communication between instances in your VPC and resources in other services without requiring an internet gateway, a NAT device, or a VPN connection. Option A , which recommends creating an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located and attaching a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access, is the correct solution for the given scenario. It meets the requirement to ensure that no API calls and no data are routed through public internet routes and that only the EC2 instance can have access to upload data to the S3 bucket.
upvoted 7 times
Omok
1 year, 9 months ago
In support, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
upvoted 8 times
...
...
...
...
jayessh
Most Recent 1 week ago
you cannot attach a security group to a gateway VPC endpoint. Security groups can only be attached to interface VPC endpoints-- so option B is wrong Option A won’t work because an interface VPC endpoint for Amazon S3 is not supported. Amazon S3 only supports gateway VPC endpoints. Interface VPC endpoints are used for services that are powered by AWS PrivateLink, which is not applicable to S3. There is something wrong with options provided
upvoted 2 times
JA2018
2 days, 18 hours ago
https://www.examtopics.com/discussions/amazon/view/83857-exam-aws-certified-solutions-architect-associate-saa-c02/
upvoted 1 times
...
...
MALEK00
2 weeks ago
B have "Attach appropriate security groups to the endpoint" Gateway Endpoints: Provisions a gateway and must be used as a target in a route table (does not use security groups) so B is incorrect and A is correct$
upvoted 2 times
...
Mish
2 weeks, 1 day ago
Selected Answer: B
B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access.
upvoted 1 times
...
Cmtan
1 month, 3 weeks ago
Selected Answer: A
Gateway endpoint for S3 Use Amazon S3 public IP addresses, while interface endpoint use private IP addresses from your VPC to access Amazon S3. As mentioned, no traffic is allowed through the public route, so ANS is A
upvoted 1 times
...
bignatov
2 months ago
Selected Answer: A
I vote for A, because there is no option to attach security group for gateway vpc endpoint. Apart from that in most cases gateway endpoint is preferable for S3, but this little detail about the security group changes my answer for A. Gateway endpoints uses routing tables instead security groups.
upvoted 1 times
...
OlehKom
2 months, 3 weeks ago
Selected Answer: B
Interface VPC endpoints are more suited for services that require private connectivity via a network interface. For S3, a Gateway VPC Endpoint is more appropriate and cost-effective since it integrates at the route table level without requiring additional cost per endpoint.
upvoted 2 times
...
SamDevNation
2 months, 4 weeks ago
Selected Answer: A
its A, private equals interfsce. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
upvoted 1 times
...
AWS_Debu
3 months, 2 weeks ago
Answer Should be B. You can attached security group with VPC endpoint. This is not the point. For S3 you need to create gateway VPC endpoint not interface VPC endpoint.
upvoted 2 times
...
tom_cruise
3 months, 3 weeks ago
Gateway endpoints do not enable AWS PrivateLink. So the answer is A.
upvoted 1 times
...
sonlduet
3 months, 3 weeks ago
It's definitely A, B is wrong because we configure route table for Gateway VPC Endpoint, not security group or subnet
upvoted 1 times
...
jatric
4 months, 2 weeks ago
Selected Answer: B
Gateway endpoint would be sufficient here which is specifically for S3 and dynamo DB and don't incurr any charges. Interface VPC endpoint might be usefull if a scneario with cross region or on-premises connectivity within private VPC https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html
upvoted 2 times
...
Hightower_IT
4 months, 2 weeks ago
Selected Answer: A
The wording in B says create a gateway VPC endpoint in the AZ, surely it should say in the VPC...... L
upvoted 2 times
...
ChymKuBoy
4 months, 3 weeks ago
Selected Answer: A
A for sure
upvoted 1 times
...
a7md0
5 months ago
Selected Answer: B
DynamoDB & S3 uses Gateway VPC endpoint (not interface)
upvoted 3 times
...
Duckydoo
5 months, 1 week ago
Selected Answer: A
You associate a gateway endpoint with a VPC and its subnets (so the prefix list can be added to the appropriate routing tables). You cannot specify an AZ or associate an SG when creating a gateway endpoint.
upvoted 4 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel