AWS Exam Practice - AWS Certified Solutions Architect

A company hosts a data processing application on Amazon EC2 instances within a private subnet. The application requires secure access to Amazon S3 buckets for input and output data. Compliance policies mandate that all data transfers must occur without traversing the public internet.

What should a solutions architect implement to fulfill these requirements in the MOST cost-efficient manner?

Explanation

The correct answer is D: Create an S3 gateway endpoint to enable access to the S3 buckets.

Why D is Correct:
- S3 Gateway Endpoints are VPC endpoints specifically designed for S3. They allow EC2 instances in a private subnet to securely access S3 buckets via AWS's private network, avoiding the public internet. This meets compliance requirements.
- Cost Efficiency: Gateway endpoints are free to use (no hourly charges), with only standard S3 data transfer costs applied. This makes them the most cost-effective solution compared to other options.

Why Other Options Are Incorrect:
- A (NAT Gateway): NAT gateways route traffic through the public internet, violating compliance. They also incur hourly and data transfer costs.
- B (Storage Gateway): AWS Storage Gateway is designed for hybrid cloud storage, not direct S3 access from EC2. It adds unnecessary complexity and cost.
- C (S3 Interface Endpoint): While interface endpoints (AWS PrivateLink) provide private connectivity, they incur hourly costs per endpoint and per GB processed. S3 gateway endpoints achieve the same goal more cost-effectively.

Key Points:
- Use gateway endpoints for S3/DynamoDB to avoid internet traffic and minimize costs.
- Gateway endpoints are free; interface endpoints and NAT gateways incur additional charges.
- Compliance often requires avoiding public internet paths, making gateway endpoints ideal for S3 access.

Question #1894

Explanation

Answer