SAA-C03 · Question #213
SAA-C03 Question #213: Real Exam Question with Answer & Explanation
The correct answer is C: Create a gateway VPC endpoint for the S3 bucket.. Configure a VPC-connected Lambda function in private subnets to access S3 while blocking internet access.
Question
A company wants to deploy an AWS Lambda function that will read and write objects to Amazon S3 bucket. The Lambda function must be connected to the company's VPC. The company must deploy the Lambda function only to private subnets in the VPC. The Lambda function must not be allowed to access the internet. Which solutions will meet these requirements? (Select TWO.)
Options
- ACreate a private NAT gateway to access the S3 bucket.
- BAttach an Elastic IP address to the NAT gateway.
- CCreate a gateway VPC endpoint for the S3 bucket.
- DCreate an interface VPC endpoint for the S3 bucket.
- ECreate a public NAT gateway to access the S3 bucket.
Explanation
Configure a VPC-connected Lambda function in private subnets to access S3 while blocking internet access.
Common mistakes.
- A. A private NAT gateway provides outbound internet access from private subnets and does not enable private communication with AWS services like S3; it violates the 'no internet access' requirement for S3 communication.
- B. Attaching an Elastic IP address is necessary for a public NAT gateway, which provides outbound internet access, directly conflicting with the requirement to block internet access.
- E. Creating a public NAT gateway enables outbound internet access from private subnets, which explicitly violates the requirement that the Lambda function must not be allowed to access the internet.
Concept tested. VPC endpoints for private S3 access
Reference. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Community Discussion
No community discussion yet for this question.