Q28 — AWS SAA-C03 Ch.5

Question 28 of 65 | ← Chapter 5

Q328. A company's application hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Due to data sensitivity, traffic cannot traverse the internet How should a solutions architect configure access?

Correct Answer: B. Configure a VPC gateway endpoint for Amazon S3 in the VPC.

Explanation

To allow secure access to an Amazon S3 bucket from Amazon EC2 instances without traversing the Internet, it is recommended to use VPC Gateway Endpoints. A VPC endpoint for Amazon S3 enables Amazon EC2 instances in a VPC to access S3 buckets over a private connection. With this approach, data remains within the AWS network and does not travel over the Internet. Option A, creating a private hosted zone using Route 53, would not allow direct access to the S3 bucket but rather provide custom DNS name resolution for resources in your VPC, which is not relevant to accessing the S3 bucket.Option C, configuring PrivateLink between the EC2 instance and the S3 bucket, can also be used to provide secure access to Amazon S3 objects directly from your VPC without traversing the internet, but it requires more configuration steps than VPC Gateway Endpoints. Option D, setting up a site-to-site VPN connection between the VPC and the S3 bucket, is not feasible since Amazon S3 does not support VPN connections.Thus, option B is the most suitable solution as it helps to ensure that the data remains within the AWS network and does not traverse the internet.