A company must move data from an Amazon EC2 instance to an Amazon S3 bucket without routing any API calls or data over public internet routes. Only the EC2 instance should be allowed to upload data to the S3 bucket. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance’s IAM role for access..
Why this is the answer
The correct solution uses an interface VPC endpoint for Amazon S3. Interface endpoints (powered by AWS PrivateLink) provide private connectivity to AWS services from within your VPC, ensuring traffic does not traverse the public internet. A resource policy on the S3 bucket, allowing only the EC2 instance's IAM role, restricts access to the specific instance, fulfilling the security requirement. Incorrect options: A gateway VPC endpoint for S3 is a valid way to access S3 privately, but it doesn't support private DNS names and is not created in a specific Availability Zone or subnet; it's associated with route tables. More importantly, interface endpoints offer broader PrivateLink features and are generally preferred for new deployments requiring private DNS. Running nslookup or using ip-ranges.json to find private IP addresses for S3 service endpoints is not how private connectivity is established or managed. S3 is a highly distributed service, and its underlying IP addresses are dynamic and not meant for direct routing configuration. VPC endpoints abstract this complexity.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed