SCS-C02 Question #190: Real Exam Question with Answer & Explanation

Question

A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then write a summary to an Amazon S3 bucket. The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet. All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet. Which solution will meet these requirements?

Options

• ADeploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to
• BDeploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to
• CDeploy the S3 bucket and the Lambda functions in the same private subnet. Configure the
• DDeploy an Amazon Simple Queue Service (Amazon SQS) queue and the Lambda functions in the

Explanation

Option B is correct because deploying Lambda functions in a private subnet combined with an S3 gateway endpoint ensures all traffic to S3 travels exclusively over AWS's internal network backbone - never touching the public internet. An S3 gateway endpoint is a VPC endpoint that adds an entry to the route table, directing S3-bound traffic through AWS infrastructure rather than through the NAT gateway (which exits to the internet).

Why the distractors are wrong:

• Option A likely deploys Lambda to a private subnet but relies on the NAT gateway for S3 access, which routes traffic through the internet - directly violating the core requirement.
• Option C is invalid because Amazon S3 is a fully managed regional service; you cannot deploy an S3 bucket inside a VPC subnet. S3 has no concept of subnet placement.
• Option D introduces SQS, which adds unnecessary complexity and doesn't solve the fundamental problem of keeping S3 traffic off the internet.

Memory tip: Whenever an exam question says "must not traverse the internet" + S3 access from a VPC, the answer almost always involves a VPC Gateway Endpoint for S3. Gateway endpoints (for S3 and DynamoDB) are free, require no bandwidth bottleneck, and work by adding a private route to your route table - think of them as a "shortcut" directly into AWS services that bypasses the internet entirely.

No community discussion yet for this question.