An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?

Replace the security group egress rule to allow all outbound traffic to 0.0.0.0/0 on TCP 443.

Allowing 0.0.0.0/0 does not create a route to the S3 service without NAT. Security groups do not override routing; if traffic is not routed through the S3 VPC endpoint, the connection will still time out.

Add an Internet Gateway to the VPC and route the private subnet’s 0.0.0.0/0 to the IGW.

Adding an Internet Gateway and public routing would defeat the purpose of using private subnets without NAT and increases exposure. The correct solution is service-specific private connectivity using a VPC endpoint for S3.

Switch from network ACLs to security groups by removing the existing NACL allow rules for ephemeral ports.

If DynamoDB works, NACL rules are likely not the blocker for outbound traffic in general. Also, the primary requirement for reaching S3 without NAT is routing via the S3 endpoint. NACL changes would be unnecessary if endpoint routing is already correct.

What does this SAA-C03 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Create a Gateway VPC endpoint for S3 and associate it with the private subnet route tables that contain the instances. — With no NAT gateway, private instances can still access AWS services via VPC endpoints. DynamoDB often uses a Gateway endpoint or interface endpoint depending on configuration, and the fact it works suggests the instances can reach a service endpoint. For S3, the common pattern is creating a Gateway VPC endpoint for S3 and associating it with the private subnet route tables. Security group rules only permit traffic; without route table entries directing S3 traffic to the endpoint, connections will time out. Why others are wrong: B changes firewall rules but does not fix missing routing to S3 because the instance still lacks a NAT or S3 endpoint route. C introduces internet exposure and is contrary to the private-subnet constraint. D focuses on NACLs, but the mixed behavior (DynamoDB works) points away from NACL issues and toward missing or incorrect S3 endpoint routing.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.