A company has a VPC with an internet gateway and a NAT Gateway. The private subnet route table has a default route to the NAT Gateway. The company wants to enable instances in the private subnet to access an S3 bucket in the same region without traversing the internet. Which TWO actions should the company take?
This enables private access.
Why this answer
Option B is correct because adding a route to the S3 prefix list via the gateway endpoint directs traffic destined for S3 through the VPC endpoint, keeping it within the AWS network. Option C is correct because a gateway VPC endpoint for S3 provides a private, scalable connection to S3 without requiring internet access or a NAT Gateway. Together, these actions allow private subnet instances to access S3 privately and efficiently.
Exam trap
The trap here is that candidates often confuse gateway endpoints with interface endpoints, incorrectly assuming S3 requires an interface endpoint, or they think the NAT Gateway must be removed entirely, when in fact the NAT Gateway should remain for other outbound traffic and only the S3-specific route needs to be added via the gateway endpoint.