Topic 1 Question 297
A company has deployed an application on Amazon EC2 instances in a single VPC. The company has placed the EC2 instances in a private subnet in the VPC.
The EC2 instances need access to Amazon S3 buckets that are in the same AWS Region as the EC2 instances. A SysOps administrator must provide the EC2 instances with access to the S3 buckets without requiring any changes to the EC2 instances or the application. The EC2 instances must not have access to the internet.
Which solution will meet these requirements?
Create an S3 gateway endpoint that uses the default gateway endpoint policy. Associate the private subnet with the gateway endpoint.
Create an S3 interface endpoint. Associate the EC2 instances with the interface endpoint.
Configure a NAT gateway. Associate the private subnet with the NAT gateway.
Configure a proxy EC2 instance. Update the private subnet route tables to route traffic through the proxy EC2 instance. Configure the proxy to route all S3 requests to the target S3 bucket.
ユーザの投票
コメント(10)
- 正解だと思う選択肢: A
Create an S3 gateway endpoint that uses the default gateway endpoint policy. Associate the private subnet with the gateway endpoint.
Notes:
Amazon S3 supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost.
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
Interface endpoints - These endpoints are directly accessible from applications that are on premises over VPN and AWS Direct Connect, or in a different AWS Region over VPC peering.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html
👍 8noahsark2023/06/24 - 正解だと思う選択肢: B
I think both A and B could provide EC2 access to S3. However, I found gateway endpoint is only associated with a VPC, not a subnet. The Interface Endpoint is associated with a subnet. Secondly, I don't think the default endpoint policy is sufficient. "ensure that your endpoint policy allows the AWS service or resource to access these buckets using the s3:GetObject action" To me, the answer has to be "B". Its a tough question (at least for me) https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
👍 3Gomer2023/06/09 - 正解だと思う選択肢: A
same s3 region - use gateway endpoint another s3 region - use interface endpoint https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
👍 3maddyr2023/07/24
シャッフルモード