Which solution will meet these requirements?

By:
In: SOA-C01
Tagged:
With: 1 Comment
A security officer has requested that internet access be removed from subnets in a VPC.The subnets currently route internet-bound traffic to a NAT gateway.ASysOps administrator needs to remove this access while allowing access to Amazon S3.

Which solution will meet these requirements?

Set up an internet gateway. Update the route table on the subnets to use the internet gateway to route traffic to Amazon S3.

Set up an S3 VPC gateway endpoint. Update the route table on the subnets to use the gateway endpoint to route traffic to Amazon S3.

Set up additional NAT gateways in each Availability Zone. Update the route table on the subnets to use the NAT gateways to route traffic to Amazon S3.

Set up an egress-only internet gateway. Update the route table on the subnets to use the egress-only internet gateway to route traffic to Amazon S3.

Explanations:

An internet gateway allows general internet access. Since the requirement is to remove internet access, this option is not suitable.

An S3 VPC gateway endpoint allows access to Amazon S3 without requiring internet access, fulfilling the requirement to allow access to S3 while blocking the internet.

NAT gateways still allow internet-bound traffic, which violates the requirement to remove internet access. Adding more NAT gateways does not meet the requirement.

An egress-only internet gateway is for IPv6 traffic only. Since the requirement does not specify IPv6 traffic and the goal is to block all internet access, this is not applicable.

2025-09-29

1 Comment

  1. Austin
    Author

    I assess that the answer is:
    Set up an S3 VPC gateway endpoint. Update the route table on the subnets to use the gateway endpoint to route traffic to Amazon S3.

Leave a Reply

Your email address will not be published. Required fields are marked *

9 − 6 =