Which solution will meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is hosting an image-processing service on AWS in a VPC.The VPC extends across two Availability Zones.Each Availability Zone contains one public subnet and one private subnet.The service runs on Amazon EC2 instances in the private subnets.An Application Load Balancer in the public subnets is in front of the service.The service needs to communicate with the internet and does so through two NAT gateways.The service uses Amazon S3 for image storage.The EC2 instances retrieve approximately 1 ТВ of data from an S3 bucket each day.The company has promoted the service as highly secure.A solutions architect must reduce cloud expenditures as much as possible without compromising the service’s security posture or increasing the time spent on ongoing operations.

Which solution will meet these requirements?

Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.

Move the EC2 instances to the public subnets. Remove the NAT gateways.

Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.

Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the images on the EFS volume.

Explanations:

Replacing NAT gateways with NAT instances may reduce costs but introduces additional maintenance and can reduce reliability. NAT instances do not scale automatically and require manual handling for high availability across zones.

Moving EC2 instances to public subnets would increase exposure to the internet, compromising the security posture. The instances would have public IPs, making them more vulnerable to unauthorized access.

Using an S3 gateway VPC endpoint allows EC2 instances to directly connect to S3 over AWS’s internal network, reducing NAT gateway costs for S3 access. It also enhances security by eliminating the need for internet traffic.

Amazon EFS is not suitable for high-throughput S3-like storage of 1 TB/day and would incur high costs. EFS is designed more for low-latency access for smaller files and does not directly reduce costs related to S3 data retrieval.

2025-10-08

1 Comment

  1. Charlotte
    Author

    I evaluate that the answer is:
    Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.

Leave a Reply to Charlotte Cancel reply

Your email address will not be published. Required fields are marked *

2 × three =