Answer-first summary for fast verification
Answer: Set up a gateway VPC endpoint for Amazon S3 in the VPC.
## Explanation **Correct Answer: B - Set up a gateway VPC endpoint for Amazon S3 in the VPC.** **Why this is correct:** 1. **VPC Endpoints for S3**: AWS provides VPC endpoints specifically for Amazon S3 that allow EC2 instances within a VPC to access S3 buckets without traversing the public internet. 2. **Traffic stays within AWS network**: Gateway VPC endpoints for S3 use AWS's private network infrastructure, ensuring traffic never leaves AWS's network and doesn't go over the public internet. 3. **Security and compliance**: This approach meets the requirement that "traffic must not traverse the internet" as it keeps all traffic within AWS's private network. 4. **No internet gateway required**: Unlike NAT gateways, VPC endpoints don't require internet gateways or NAT devices. **Why other options are incorrect:** **A. Create a private hosted zone by using Amazon Route 53.** - Private hosted zones are for DNS resolution within a VPC, not for creating private network connections to S3. - This doesn't prevent internet traversal for S3 traffic. **C. Configure the EC2 instances to use a NAT gateway to access the S3 bucket.** - NAT gateways route traffic through the internet, which violates the requirement that traffic must not traverse the internet. - While NAT gateways provide outbound internet access, they still use the public internet to reach S3. **D. Establish an AWS Site-to-Site VPN connection between the VPC and the S3 bucket.** - Site-to-Site VPN connections are for connecting VPCs to on-premises networks, not for connecting to AWS services like S3. - S3 doesn't support direct VPN connections; you need VPC endpoints instead. **Key AWS Concepts:** - **VPC Endpoints**: Private connections between your VPC and supported AWS services without using internet gateways, NAT devices, VPN connections, or AWS Direct Connect. - **Gateway VPC Endpoint**: Specifically for Amazon S3 and DynamoDB, these are gateway endpoints that route traffic to AWS services through AWS's private network. - **Interface VPC Endpoint**: Uses AWS PrivateLink for other AWS services, providing private IP addresses in your VPC. **Best Practice**: Always use VPC endpoints for accessing AWS services from within a VPC when you need to keep traffic within AWS's network for security, compliance, or performance reasons.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
An application that is hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Traffic must not traverse the internet. How should a solutions architect configure access to meet these requirements?
A
Create a private hosted zone by using Amazon Route 53.
B
Set up a gateway VPC endpoint for Amazon S3 in the VPC.
C
Configure the EC2 instances to use a NAT gateway to access the S3 bucket.
D
Establish an AWS Site-to-Site VPN connection between the VPC and the S3 bucket.