A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.
Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Create an interface VPC endpoint (AWS PrivateLink) for the Secrets Manager service and update the security group rules to allow HTTPS from the application subnets.
An interface VPC endpoint provides private, route-table-scoped connectivity to Secrets Manager without internet access or NAT. Security group rules on the endpoint enforce which subnets/instances can reach it.
Add a public DNS entry in the instance /etc/hosts pointing Secrets Manager to the instance’s private IP so requests do not leave the VPC.
Secrets Manager is not reachable by mapping it to arbitrary private IPs; you need an AWS-managed private endpoint or NAT/internet for real service routing.
Attach an internet gateway to the private route table so that Secrets Manager traffic can reach public endpoints without NAT.
An internet gateway on a private route table effectively makes the subnet internet-reachable, violating the stated NAT-free and tightened network requirement.
Enable S3 VPC endpoint and store the secrets in an S3 bucket instead of Secrets Manager, then retrieve them using S3 gateway endpoints.
This changes the service and does not solve the Secrets Manager connectivity failure. It also weakens secret lifecycle controls provided by Secrets Manager.
Common exam trap
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
CIDR notation defines the prefix length.
The correct answer is: Create an interface VPC endpoint (AWS PrivateLink) for the Secrets Manager service and update the security group rules to allow HTTPS from the application subnets. — With no NAT gateway, instances in private subnets cannot reach public AWS service endpoints over the internet. The most direct secure solution is an interface VPC endpoint (PrivateLink) for Secrets Manager. This creates ENIs in your subnets (or chosen subnets) that route traffic to the Secrets Manager service privately. After adding the endpoint and allowing inbound HTTPS (443) from the application security group, the application can call Secrets Manager without internet egress. Why others are wrong: Option B relies on local DNS overrides and cannot magically route to the real Secrets Manager service. Option C adds internet reachability by using an internet gateway, undermining the network goal. Option D replaces Secrets Manager with S3, which may break security controls and still doesn’t address the requested private connectivity to Secrets Manager specifically.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.