AWS Certified Advanced Networking - Specialty Exam: Interacting with S3 in Private Subnet

Ensure Successful Interaction with S3 in Private Subnet

Prev Question Next Question

Question

An application has been built with the appropriate AWS SDK.

This application interacts with the S3 service in AWS.

This application is going to be deployed in a private subnet.

Which of the following should be done to ensure that the application can successfully interact with the S3 service.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

One can use the S3 VPC endpoint.

A VPC endpoint enables you to privately connect your VPC to an AWS service without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Instances in your VPC do not require public IP addresses to communicate with resources in other services.

Traffic between your VPC and the AWS service does not leave the Amazon network.

For more information on VPC endpoints, please visit the below link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

The correct answer is C. Create a VPC S3 endpoint.

Explanation:

When an application is deployed in a private subnet, it cannot directly communicate with the public internet or other AWS services outside the VPC. Therefore, it needs a way to access the S3 service, which is outside the VPC.

Option A, making the subnet a public subnet, is not recommended because it would expose the application to the public internet, which could be a security risk.

Option B, attaching an Internet gateway to the VPC, would allow the application to access the S3 service through the public internet, but it would also expose the VPC to the public internet, which could be a security risk.

Option D, attaching a Virtual Private gateway to the VPC, would be used for setting up a VPN connection between the VPC and on-premises infrastructure, but it is not required for accessing S3.

Option C, creating a VPC S3 endpoint, is the recommended solution. An S3 endpoint is a logical entity within a VPC that allows instances in the VPC to connect to S3 without going over the public internet or traversing a NAT device. With a VPC S3 endpoint, the application in the private subnet can access the S3 service securely and without exposing the VPC to the public internet.

In summary, to ensure that an application deployed in a private subnet can interact with the S3 service, you should create a VPC S3 endpoint.