Answer-first summary for fast verification
Answer: Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint.
## Explanation **Correct Answer: D** - Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint. ### Why this is correct: 1. **VPC Endpoints for S3 (Gateway Endpoint)** allow EC2 instances in a VPC to access S3 buckets without traversing the internet. 2. **Private subnet requirement**: EC2 instances in private subnets don't have internet access, so they cannot use internet gateways or NAT gateways to reach S3. 3. **Security**: VPC endpoints keep traffic within the AWS network, avoiding exposure to the public internet. 4. **No internet usage**: The requirement explicitly states "must not use the internet" - VPC endpoints fulfill this by providing private connectivity. ### Why other options are incorrect: **A. Internet Gateway**: - Requires internet access, which contradicts the requirement "must not use the internet" - EC2 instances in private subnets cannot use internet gateways directly **B. VPN Connection**: - VPNs are for connecting on-premises networks to AWS VPCs - Doesn't solve the private subnet to S3 connectivity issue - Still might involve internet routing **C. NAT Gateway**: - Allows outbound internet access from private subnets - Still uses the internet to reach S3 (traffic goes through NAT to internet) - Doesn't meet the "no internet" requirement ### Key AWS Concepts: - **VPC Gateway Endpoint for S3**: A horizontally scaled, redundant gateway that allows private connectivity between your VPC and S3 - **Private Subnet**: A subnet with no route to an internet gateway - **Bucket Policies**: IAM policies attached to S3 buckets to control access - **Endpoint Policies**: Additional policies that can be attached to VPC endpoints to control what actions/resources can be accessed ### Implementation Steps: 1. Create a VPC Gateway Endpoint for S3 in the VPC 2. Update the route table of the private subnet to include a route to the endpoint 3. Update the S3 bucket policy to allow access from the VPC endpoint 4. The EC2 application can now access S3 using the standard S3 endpoint URL, but traffic stays within AWS network
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has an application that runs on Amazon EC2 instances in a private subnet. The application needs to process sensitive information from an Amazon S3 bucket. The application must not use the internet to connect to the S3 bucket.
Which solution will meet these requirements?
A
Configure an internet gateway. Update the S3 bucket policy to allow access from the internet gateway. Update the application to use the new internet gateway.
B
Configure a VPN connection. Update the S3 bucket policy to allow access from the VPN connection. Update the application to use the new VPN connection.
C
Configure a NAT gateway. Update the S3 bucket policy to allow access from the NAT gateway. Update the application to use the new NAT gateway.
D
Configure a VPC endpoint. Update the S3 bucket policy to allow access from the VPC endpoint. Update the application to use the new VPC endpoint.