What should a SysOps administrator do to meet the compliance requirement?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A global company handles a large amount of personally identifiable information (PII) through an internal web portal.The company’s application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection.The application stores the PII in Amazon S3.According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.

What should a SysOps administrator do to meet the compliance requirement?

Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.

Configure AWS Network Firewall to redirect traffic to the internal S3 address.

Modify the application to use the S3 path-style endpoint.

Set up a range of VPC network ACLs to redirect traffic to the internal S3 address.

Explanations:

Provisioning an interface VPC endpoint for Amazon S3 ensures that traffic from the application to Amazon S3 does not traverse the internet, meeting the compliance requirement.

AWS Network Firewall cannot redirect traffic to an internal S3 address. It is a security service for inspecting and controlling traffic, not for creating private endpoints.

Using the S3 path-style endpoint does not guarantee that traffic will avoid the internet. The traffic could still route through the public internet unless a private endpoint is used.

VPC network ACLs cannot be used to redirect traffic to Amazon S3. ACLs are used to control inbound and outbound traffic for VPC subnets, not for managing private connections to S3.

2025-10-03

1 Comment

  1. Madison
    Author

    In my opinion, the answer is:
    Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × five =