AWS Certified Data Engineer Associate DEA-C01 Practice Question
A data engineering team runs an Amazon EMR cluster in a private subnet. The cluster must download libraries from an Amazon S3 bucket, and company policy prohibits any traffic that leaves the VPC. All requests must be signed by the cluster's IAM instance profile; no other principals in the VPC should reach the bucket. Which network configuration meets these requirements in the most operationally efficient way?
Create a gateway VPC endpoint for Amazon S3 and attach an endpoint policy that allows access only from the EMR cluster's IAM role.
Deploy a NAT gateway in a public subnet and route the EMR subnet's traffic to Amazon S3 through the NAT gateway.
Establish VPC peering to a separate VPC that hosts an S3 proxy, and route the EMR subnet's traffic through the peered connection.
Create an interface VPC endpoint for Amazon S3 and associate it with the EMR subnet's security group.
A gateway VPC endpoint is the native, highly available mechanism for private connectivity to Amazon S3 and has no hourly or data-processing charges. It routes requests directly to the S3 service without public IP addresses or an internet gateway, so no traffic leaves the VPC. An endpoint policy attached to the gateway endpoint can restrict access to the specific S3 bucket and further limit it to the IAM role used by the EMR nodes, satisfying the security requirement with minimal management overhead.
A NAT gateway requires an internet gateway, causes traffic to leave the VPC, and adds cost.
Amazon S3 does support interface VPC endpoints (AWS PrivateLink), but they incur hourly and per-GB data-processing fees without adding benefit for traffic that stays inside the VPC, making them less operationally efficient.
VPC peering to an external VPC that hosts an S3 proxy introduces unnecessary complexity and infrastructure to manage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a gateway VPC endpoint?
Open an interactive chat with Bash
How does an endpoint policy work with a gateway VPC endpoint?
Open an interactive chat with Bash
What makes a gateway VPC endpoint more efficient than other methods like NAT gateways or interface endpoints?
Open an interactive chat with Bash
What is a gateway VPC endpoint and how does it work?
Open an interactive chat with Bash
How does an endpoint policy enhance security for gateway VPC endpoints?
Open an interactive chat with Bash
Why is a gateway VPC endpoint preferable to an interface VPC endpoint for Amazon S3?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .