A workload in private subnets must upload logs to Amazon S3 and retrieve one secret from AWS Secrets Manager. The security team forbids internet egress and wants the lowest operational overhead. Which two VPC endpoints should be created? Select two.

A NAT Gateway in the public subnet.

A NAT Gateway provides outbound internet access for private subnets. That violates the requirement to forbid internet egress and also adds cost and operational dependency.

An Internet Gateway attached to the VPC.

An Internet Gateway is used for public subnet routing and public internet access. It is unnecessary here and conflicts with the requirement to keep the workload private.

A DynamoDB gateway endpoint for the log upload path.

A DynamoDB endpoint is only for DynamoDB traffic. It does not help with S3 log uploads or Secrets Manager retrieval.

What does this SAA-C03 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: An Amazon S3 gateway endpoint for private S3 access. — The workload needs two different endpoint types. S3 uses a gateway endpoint, which is simple to deploy and keeps traffic on the AWS backbone without NAT. Secrets Manager requires an interface endpoint because it is an API service reached through PrivateLink. Together, these endpoints satisfy the private-subnet requirement while avoiding internet egress and minimizing operational overhead. A NAT Gateway and an Internet Gateway both introduce internet-dependent routing, which the scenario forbids. A DynamoDB gateway endpoint does not apply to the services in question. The correct combination is the S3 gateway endpoint plus the Secrets Manager interface endpoint.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.