A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Place instances in private subnets but use NAT gateways so traffic to S3 and Secrets Manager goes through the internet; restrict security groups to instance-to-instance only.
NAT still routes traffic through the internet path and contradicts the cost and private-connectivity requirement. Restricting instance-to-instance rules does not prevent public service access through NAT.
Add a VPC gateway endpoint for S3 and an interface VPC endpoint for Secrets Manager; keep instances in private subnets and configure security group rules attached to the endpoints to allow inbound traffic only from the application subnets.
Gateway endpoints provide private routing to S3, and interface endpoints provide private access to Secrets Manager without internet traversal. Security group controls on interface endpoints restrict traffic to only the application subnets, meeting segmentation and cost constraints.
Use public subnets with instances that have no security group rules; rely on AWS services to reject unauthorized traffic.
Public subnets plus missing security controls violates baseline security. Relying on AWS service rejection does not provide explicit network segmentation or deterministic access control.
Create an S3 bucket policy that allows requests from the application instances’ private IP addresses and enable public access to Secrets Manager via the default service endpoint.
Bucket policy cannot safely replace network-level private connectivity. Secrets Manager still requires private endpoint configuration or NAT/IGW routing for private subnets; public access contradicts requirements.
Common exam trap
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
CIDR notation defines the prefix length.
The correct answer is: Add a VPC gateway endpoint for S3 and an interface VPC endpoint for Secrets Manager; keep instances in private subnets and configure security group rules attached to the endpoints to allow inbound traffic only from the application subnets. — The cleanest private pattern is to avoid NAT by using VPC endpoints. S3 is reachable through a gateway VPC endpoint, which adds private routing within the VPC. Secrets Manager requires an interface VPC endpoint (private link ENIs) so that calls stay within the AWS network. You then attach restrictive security group rules to the interface endpoint to allow inbound connections only from the application subnets’ CIDR ranges or specific instance security groups. This meets cost constraints and enforces network segmentation for only the needed AWS service access. Why others are wrong: Option A uses NAT gateways, which violates the “without routing through the public internet” and “without exposing to NAT gateways due to cost” requirements. Option C places instances in public subnets with no security group restrictions, breaking segmentation and increasing exposure risk. Option D attempts to solve access with S3 bucket policy and assumes public service access, which does not ensure private routing for Secrets Manager from private subnets.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.