Question #1195
An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon S3 bucket. What is the MOST secure way to access the bucket while ensuring that the traffic does not leave the AWS network?
Use a VPC endpoint for S3.
Use a NAT gateway in a public subnet.
Use a NAT instance in a private subnet.
Use the internet gateway attached to the VPC.
Explanation
The correct answer is A. A VPC endpoint for S3 provides a private connection between the VPC and Amazon S3, ensuring traffic remains within the AWS network. This eliminates the need for internet gateways, NAT devices, or public IP addresses, enhancing security and reducing latency.
Why other options are incorrect:
- B (NAT gateway): Routes traffic through the public subnet and internet, exposing it outside AWS.
- C (NAT instance in private subnet): Misconfigured, as NAT devices require public subnet access, and traffic still uses the internet.
- D (Internet gateway): Directly exposes traffic to the public internet, violating the requirement.
Key Points:
1. VPC endpoints (Gateway type for S3) enable private AWS network access.
2. NAT/internet gateways route traffic externally, increasing risk and cost.
3. Always prefer VPC endpoints for AWS service access from private subnets.
Answer
The correct answer is: A