A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Deploy a NAT Gateway in each Availability Zone and route artifact traffic through it.

A NAT Gateway would work for connectivity, but it creates exactly the cost the team wants to remove. The gateway endpoint is the cost-optimized private option.

Use the S3 static website endpoint because it automatically enforces HTTPS.

S3 website endpoints are not the right choice for private CI uploads and do not provide the required transport and encryption controls. They are intended for public website hosting patterns.

What does this SAA-C03 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Create an S3 gateway VPC endpoint and associate it with the private subnets' route tables. — This design needs one network control and two bucket-policy controls. The S3 gateway endpoint removes the NAT Gateway dependency while keeping traffic private. The aws:SecureTransport deny enforces HTTPS so uploads are encrypted in transit. The SSE-KMS bucket policy requirement ensures the objects are encrypted at rest using the approved CMK. Together, these satisfy cost, transport security, and at-rest encryption requirements. Why others are wrong: A NAT Gateway solves connectivity but increases cost and is specifically what the team wants to avoid. The S3 website endpoint is for public static websites, not secure CI artifact uploads, and it does not implement the required policy enforcement. The correct approach combines private routing with explicit bucket-policy controls.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.