Answer-first summary for fast verification
Answer: Deploy an S3 VPC gateway endpoint into the VPC and attach an endpoint policy that allows access to the S3 buckets.
## Explanation **Correct Answer: D** - Deploy an S3 VPC gateway endpoint into the VPC and attach an endpoint policy that allows access to the S3 buckets. ### Why Option D is Correct: 1. **S3 VPC Gateway Endpoints**: These are specifically designed to allow private connectivity between your VPC and Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect. 2. **Cost Reduction**: When using S3 VPC endpoints: - Data transfer between your VPC and S3 in the same AWS Region is free (no data transfer charges) - Traffic stays within the AWS network and doesn't traverse the public internet - Eliminates NAT gateway data processing charges 3. **Security Benefits**: - Traffic remains within the AWS network - Can use endpoint policies to restrict access to specific S3 buckets - No exposure to the public internet ### Why Other Options Are Incorrect: **A. Deploy Amazon API Gateway into a public subnet and adjust the route table to route S3 calls through it.** - API Gateway is for creating RESTful APIs, not for optimizing S3 access - This would add complexity and potentially increase costs - Doesn't address the data transfer fee issue **B. Deploy a NAT gateway into a public subnet and attach an endpoint policy that allows access to the S3 buckets.** - NAT gateways incur data processing charges ($0.045 per GB) - Traffic still goes through the public internet - Doesn't reduce data transfer costs **C. Deploy the application into a public subnet and allow it to route through an internet gateway to access the S3 buckets.** - This is the current problematic setup - Uses public internet, incurring data transfer fees - Least secure option ### Key AWS Concepts: - **VPC Endpoints**: Provide private connectivity to AWS services - **S3 Gateway Endpoints**: Specifically for S3, free data transfer within same region - **Endpoint Policies**: IAM-like policies to control access through the endpoint ### Best Practice:** When applications in a VPC need frequent access to S3 in the same region, always use S3 VPC gateway endpoints to eliminate data transfer costs and improve security.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company runs a photo processing application that needs to frequently upload and download pictures from Amazon S3 buckets that are located in the same AWS Region. A solutions architect has noticed an increased cost in data transfer fees and needs to implement a solution to reduce these costs.
How can the solutions architect meet this requirement?
A
Deploy Amazon API Gateway into a public subnet and adjust the route table to route S3 calls through it.
B
Deploy a NAT gateway into a public subnet and attach an endpoint policy that allows access to the S3 buckets.
C
Deploy the application into a public subnet and allow it to route through an internet gateway to access the S3 buckets.
D
Deploy an S3 VPC gateway endpoint into the VPC and attach an endpoint policy that allows access to the S3 buckets.