AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
B
Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
C
Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
D
Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
Explanation:
Explanation
The correct answer is B because:
-
Gateway VPC Endpoint for S3: This is the appropriate VPC endpoint type for Amazon S3. Gateway VPC endpoints use route tables to route traffic to S3 through AWS's private network, ensuring that API calls and data are not routed through the public internet.
-
Availability Zone consideration: While gateway VPC endpoints are regional (not AZ-specific), the requirement mentions placing it in the Availability Zone where the EC2 instance is located, which is acceptable.
-
Security groups: Gateway VPC endpoints don't use security groups (they use endpoint policies), but this detail doesn't invalidate the solution.
-
Resource policy: Attaching a resource policy to the S3 bucket to only allow the EC2 instance's IAM role ensures that only that specific EC2 instance can access the bucket.
Why not the other options:
- A: Interface VPC endpoints are for services that use private IP addresses (like AWS PrivateLink services), but S3 uses gateway VPC endpoints, not interface endpoints.
- C: The nslookup tool cannot obtain private IP addresses for S3 service endpoints. S3 doesn't have static private IP addresses that can be discovered this way.
- D: The ip-ranges.json file contains public IP address ranges for AWS services, not private IP addresses for service endpoints.
Key AWS Concepts:
- Gateway VPC Endpoints: Provide private connectivity to S3 and DynamoDB without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect.
- Interface VPC Endpoints: Use AWS PrivateLink to provide private connectivity to supported AWS services and third-party services.
- S3 Bucket Policies: Control access to S3 buckets at the resource level.
- Private Connectivity: Ensures data transfer stays within AWS's network, enhancing security and potentially reducing costs.
Comments
Loading comments...