AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is moving its data and applications to AWS during a multiyear migration project. The company wants to securely access data on Amazon S3 from the company's AWS Region and from the company's on-premises location. The data must not traverse the internet. The company has established an AWS Direct Connect connection between its Region and its on-premises location.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create gateway endpoints for Amazon S3. Use the gateway endpoints to securely access the data from the Region and the on-premises location.
B
Create a gateway in AWS Transit Gateway to access Amazon S3 securely from the Region and the on-premises location.
C
Create interface endpoints for Amazon S3. Use the interface endpoints to securely access the data from the Region and the on-premises location.
D
Use an AWS Key Management Service (AWS KMS) key to access the data securely from the Region and the on-premises location.
Explanation:
Explanation
Correct Answer: A
Why Option A is correct:
- Gateway endpoints for Amazon S3 are specifically designed to allow access to Amazon S3 from within a VPC without traversing the internet.
- Gateway endpoints use AWS PrivateLink technology and provide private connectivity between your VPC and Amazon S3.
- When combined with AWS Direct Connect, traffic from on-premises locations can access S3 through the gateway endpoint without going over the internet.
- Gateway endpoints are the recommended solution for accessing S3 privately from both within AWS and on-premises via Direct Connect.
Why other options are incorrect:
Option B: AWS Transit Gateway is a network transit hub that simplifies network connectivity between VPCs and on-premises networks, but it doesn't provide private connectivity to S3 services. It would still require internet access or gateway endpoints to reach S3.
Option C: Interface endpoints are for AWS services that are powered by AWS PrivateLink (like Amazon S3 through S3 Interface endpoints), but for S3 specifically, gateway endpoints are the appropriate choice. While S3 does offer interface endpoints, gateway endpoints are more cost-effective for S3 and are specifically designed for this purpose.
Option D: AWS KMS is for encryption key management, not for network connectivity. While KMS can help secure data at rest, it doesn't address the requirement for data not to traverse the internet.
Key Points:
- Gateway endpoints for S3 provide private connectivity from VPCs to S3
- Combined with Direct Connect, on-premises traffic can access S3 privately
- Data never traverses the public internet
- This is a common pattern for hybrid architectures requiring private S3 access
Comments
Loading comments...