ANS-C01 Question #51: Real Exam Question with Answer & Explanation

Question

A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit. Which solution will meet these requirements?

Options

• ACreate a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to
• BCreate an IPsec VPN connection over the transit VIF. Create a VPC and attach the VPC to the
• CCreate a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC
• DCreate a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to the

Explanation

To securely transfer on-premises financial data to Amazon S3 via Direct Connect and a transit gateway, an IPsec VPN connection over the Direct Connect transit VIF should be established to a VPC containing an S3 gateway VPC endpoint.

Common mistakes.

• A. A public VIF provides access to public AWS services but does not inherently encrypt traffic, and while a VPN over it encrypts, S3 private access typically uses gateway endpoints within a VPC, not a direct VPN to the S3 service.
• C. Creating a VPC and attaching it to a transit gateway is correct, but Amazon S3 uses gateway VPC endpoints, not interface VPC endpoints, making this solution incorrect for private S3 access.
• D. This option suggests an IPsec VPN over a public VIF directly to an 'S3 bucket', which is fundamentally incorrect as S3 buckets are not VPN endpoints; private S3 access requires a gateway VPC endpoint within a VPC.

Concept tested. Direct Connect, Transit Gateway, VPN, and S3 VPC Endpoints for Secure Data Transfer

Reference. https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-vpn-options.html

No community discussion yet for this question.