A company runs applications on Amazon EC2 instances in a VPC. One application must call the Amazon S3 API to store and read objects. Company security rules prohibit any traffic from the applications from traversing the internet. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure an S3 gateway endpoint..
Why this is the answer
Configuring an S3 gateway endpoint is the correct solution because it allows EC2 instances within a VPC to access S3 privately, without requiring an internet gateway, NAT device, or VPN connection. This directly addresses the security requirement that traffic must not traverse the internet. Creating an S3 bucket in a private subnet is incorrect because S3 buckets are global resources, not tied to a specific subnet within a VPC. While you can restrict access to a bucket from a private subnet, this option doesn't solve the connectivity problem. Creating an S3 bucket in the same AWS Region as the EC2 instances is a good practice for performance and cost, but it doesn't inherently provide private connectivity or prevent traffic from traversing the internet. Configuring a NAT gateway in the same subnet as the EC2 instances would allow instances in a private subnet to access S3 over the internet (via the NAT gateway and an internet gateway), which violates the security rule prohibiting internet traversal.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed