Q32 — AWS SAA-C03 Ch.3

Question 32 of 65 | ← Chapter 3

Q162. A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.Which solution will meet these requirements?

Correct Answer: B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

Explanation

To meet the requirement of moving data from an Amazon EC2 instance to an Amazon S3 bucket with no API calls or data routed through public internet routes, and only the EC2 instance having access to upload data to the S3 bucket, a solutions architect should create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Appropriate security groups should be attached to the endpoint, and a resource policy should be attached to the S3 bucket, allowing only the EC2 instance's IAM role for access. Therefore, option B is the correct answer.Option A suggests creating an interface VPC endpoint for Amazon S3, which may work but may require additional configuration for securing the endpoint and ensuring that only the EC2 instance has access.Option C suggests using nslookup to obtain the private IP address of the S3 bucket's service API endpoint, which is not recommended. Private IP addresses can change frequently, and this approach may not provide a reliable solution.Option D suggests using the publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint, which is also not recommended due to the potential for frequent changes to IP addresses.By creating a gateway VPC endpoint for Amazon S3, the connection between the EC2 instance and the S3 bucket remains within the AWS network, ensuring that no API calls or data are routed through public internet routes. Appropriate security groups can be attached to the endpoint to limit access to only the EC2 instance. Using a resource policy on the S3 bucket allows for granting access to only the EC2 instance's IAM role, providing a secure and controlled solution for transferring data from the EC2 instance to the S3 bucket.