Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
An application runs in private subnets and must download objects from Amazon S3 and read one secret from AWS Secrets Manager. NAT gateways are prohibited, and traffic must not traverse the public internet. The secret uses a customer managed KMS key. Which design is best?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Use a NAT gateway for outbound access and rely on security groups to block internet destinations.
A NAT gateway sends traffic to AWS public endpoints over the public internet path, which violates the requirement. Security groups do not turn public-endpoint traffic into private connectivity.
B
Distractor review
Create interface VPC endpoints for both S3 and Secrets Manager and enable private DNS.
Secrets Manager requires an interface endpoint, but S3 is more appropriately reached with a gateway endpoint. Using interface endpoints for both is not the best fit for the scenario and adds unnecessary cost and complexity.
C
Best answer
Create a gateway VPC endpoint for S3 and an interface VPC endpoint for Secrets Manager with private DNS enabled.
This combination keeps traffic on the AWS network without NAT. S3 is best accessed through a gateway endpoint, which is the native private connectivity option for S3. Secrets Manager requires an interface endpoint, and private DNS lets the application use standard service names while still resolving to the private endpoint. The KMS key is used by Secrets Manager service-side, not via a separate app network path.
D
Distractor review
Use VPC peering to a public subnet that hosts a proxy for S3 and Secrets Manager access.
VPC peering does not provide access to AWS service endpoints by itself, and introducing a proxy in a public subnet creates unnecessary exposure. It also adds operational overhead and does not satisfy the simplest private connectivity design.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
FAQ
Questions learners often ask
What does this SAA-C03 question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Create a gateway VPC endpoint for S3 and an interface VPC endpoint for Secrets Manager with private DNS enabled. — The best design is a gateway endpoint for S3 plus an interface endpoint for Secrets Manager with private DNS enabled. This keeps the application’s traffic off the internet and avoids NAT gateway cost. S3 uses the gateway endpoint path natively, while Secrets Manager requires an interface endpoint. The customer managed KMS key is handled by the Secrets Manager service during secret retrieval and does not change the network design. A NAT gateway violates the no-internet requirement. Interface endpoints for S3 are unnecessary when a gateway endpoint is available and more cost-effective. VPC peering to a public proxy is operationally heavier, less secure, and does not provide a clean private AWS service path.
What should I do if I get this SAA-C03 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.