AWS SAA-C03 #208

A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

Which solution will meet these requirements?

A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.


The correct answer is A.

You should create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Then, attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

This solution meets all the requirements because it ensures that no API calls and no data are routed through public internet routes, and only the EC2 instance can have access to upload data to the S3 bucket.

The other options (B, C, and D) are not correct because they either do not provide the necessary security or they involve routing data through public internet routes, which is against the requirements.

Sure, here's why the other options are incorrect:

Option B: A gateway VPC endpoint for Amazon S3 does not support private DNS, so requests to the S3 bucket could be routed over the public internet. Also, security groups cannot be attached to a gateway VPC endpoint.

Option C: The nslookup tool cannot be used to obtain the private IP address of the S3 bucket's service API endpoint. Amazon S3 is a regional service and does not have a private IP address.

Option D: The ip-ranges.json file provided by AWS lists public IP address ranges, not private IP addresses. Therefore, this method would not meet the requirement to avoid routing data through public internet routes.

In all these options, the data transfer does not stay within the Amazon network, which is a violation of the stated requirements.

相关推荐
无责任此方_修行中43 分钟前
AWS IoT Core 成本优化实战:从 PoC 到生产的省钱之旅
后端·架构·aws
AWS官方合作商2 小时前
涂鸦智能携手亚马逊云科技,以全球基础设施与生成式AI加速万物智联时代到来
人工智能·科技·aws·亚马逊云科技
TG_yunshuguoji12 小时前
亚马逊云代理:亚马逊云怎么样进行大规模数据分析与处理?
数据挖掘·数据分析·云计算·aws
Clownseven1 天前
AWS EC2部署WordPress教程:从零到一搭建个人博客 (2025最新)
云计算·aws
Clownseven1 天前
阿里云OSS vs 腾讯云COS vs AWS S3:对象存储价格与性能深度对比
阿里云·腾讯云·aws
练习两年半的工程师2 天前
AWS TechFest 2025: 风险模型的转变、流程设计的转型、生成式 AI 从实验走向实施的三大关键要素、评估生成式 AI 用例的适配度
人工智能·科技·金融·aws
练习两年半的工程师3 天前
AWS TechFest 2025: 适合使用 Agentic AI 的场景、代理(Agents)应用的平衡之道、数据战略优先级矩阵、新治理模式
人工智能·云计算·aws
观测云3 天前
AWS SQS 可观测性最佳实践
云计算·aws
王道长服务器 | 亚马逊云3 天前
如何利用 AWS 服务器优化跨境电商和 SEO 战略?
云计算·aws
GSDjisidi3 天前
东京本社招聘 | 财务负责人 & 多个日本IT岗位(Java/C++/Python/AWS 等),IT营业同步招募
java·开发语言·aws