AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company operates hundreds of Amazon EC2 instances in private subnets across three production VPCs in the us-east-1 Region. The instances must receive Run Command instructions and software patches by using AWS Systems Manager and must also upload command output logs to an Amazon S3 bucket in the same Region. A new security policy forbids any traffic from these subnets from traversing a NAT gateway, internet gateway, or public IP address. The networking team also wants every AWS SDK call that the instances make to resolve to private IP addresses inside the VPCs and to minimize ongoing data-processing charges.
Which solution meets these requirements while providing the lowest operational cost?
Keep the NAT gateways in place but attach an S3 gateway endpoint to each route table. Add an IAM policy to every instance profile that denies access to public IP addresses.
In each VPC create gateway VPC endpoints for Amazon S3, AWS Systems Manager, and Amazon EC2. Update the private subnet route tables to point traffic for these services to the gateway endpoints and delete the NAT gateways.
In each VPC create interface VPC endpoints for SSM, SSMMessages, and EC2Messages, enable private DNS for the endpoints, and attach an endpoint policy that allows only the required Systems Manager actions. Create a gateway VPC endpoint for Amazon S3 and add it to the route tables used by the private subnets. Remove the NAT gateway routes.
Create an endpoint service (AWS PrivateLink) for Systems Manager and S3 in a shared-services VPC, share the service with the other VPCs by using AWS RAM, and create Route 53 private hosted zone records that map the public service domains to the endpoint's private IP addresses. Remove the NAT gateways.
Systems Manager is accessible from a VPC only through interface VPC endpoints (SSM, SSMMessages, and EC2Messages). Enabling private DNS on these endpoints ensures that the standard public service names resolve to the endpoints' private IP addresses, so application code does not need to change.
Amazon S3 can be reached over a gateway VPC endpoint, which is free of hourly and data-processing charges and keeps traffic on the AWS backbone without requiring NAT. Using the gateway endpoint for S3 and interface endpoints for Systems Manager removes the need for NAT gateways, satisfies the no-internet requirement, and keeps recurring costs lower than an all-interface-endpoint or NAT-based design.
The other choices fail because:
Gateway endpoints exist only for S3 and DynamoDB, so they cannot be used for Systems Manager.
Creating a user-managed endpoint service for S3 or Systems Manager is not supported and adds needless complexity.
Retaining NAT gateways still violates the security mandate and continues to incur hourly and data-processing fees.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between an interface VPC endpoint and a gateway VPC endpoint?
Open an interactive chat with Bash
Why is enabling private DNS important for interface VPC endpoints?
Open an interactive chat with Bash
Why is a gateway VPC endpoint for S3 used instead of an interface VPC endpoint?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access