Answer-first summary for fast verification
Answer: Configure an S3 gateway endpoint.
## Explanation **Correct Answer: A - Configure an S3 gateway endpoint.** **Why this is correct:** 1. **S3 Gateway Endpoint** is a VPC endpoint specifically designed for Amazon S3 that enables private connectivity between your VPC and S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect. 2. **No internet traffic**: When you configure an S3 gateway endpoint, traffic between your VPC and S3 stays within the AWS network and never traverses the public internet, meeting the security requirement. 3. **Direct VPC-to-S3 routing**: The gateway endpoint creates a route in your VPC route table that directs S3 traffic through the AWS private network. **Why other options are incorrect:** **B. Create an S3 bucket in a private subnet.** - S3 buckets are not deployed in subnets; they are regional services accessible via endpoints. - S3 buckets exist at the regional level, not within VPC subnets. **C. Create an S3 bucket in the same AWS Region as the EC2 instances.** - While this reduces latency, it doesn't prevent internet traffic. EC2 instances would still need to traverse the internet to reach S3 unless a VPC endpoint is configured. **D. Configure a NAT gateway in the same subnet as the EC2 instances.** - A NAT gateway allows outbound internet access for private instances, but traffic still goes through the internet to reach S3. - This would violate the requirement of "no traffic from the applications is allowed to travel across the internet." **Key AWS Concepts:** - **VPC Endpoints**: Provide private connectivity to AWS services without internet access. - **Gateway Endpoints**: Specifically for S3 and DynamoDB, using route table entries. - **Interface Endpoints**: For other AWS services, using ENIs in your VPC. **Security Benefits:** - Eliminates exposure to internet threats - Maintains data privacy within AWS network - Complies with strict security regulations - No additional cost for data transfer within the same region
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has applications that run on Amazon EC2 instances in a VPC. One of the applications needs to call the Amazon S3 API to store and read objects. According to the company's security regulations, no traffic from the applications is allowed to travel across the internet. Which solution will meet these requirements?
A
Configure an S3 gateway endpoint.
B
Create an S3 bucket in a private subnet.
C
Create an S3 bucket in the same AWS Region as the EC2 instances.
D
Configure a NAT gateway in the same subnet as the EC2 instances.