Question 393 of 1,040
Design Secure ArchitectureshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to use an S3 gateway VPC endpoint with a bucket policy that restricts access to the specific VPC endpoint. This design is correct because the S3 gateway VPC endpoint allows EC2 instances in private subnets to reach S3 without traversing the internet or requiring a NAT gateway, while the bucket policy condition using `aws:SourceVpce` ensures that only requests originating from that approved endpoint are permitted. On the SAA-C03 exam, this scenario tests your understanding of how to combine VPC endpoints with resource-based policies for secure, private access—a common trap is confusing gateway endpoints with interface endpoints or forgetting that the condition key must match the exact VPC endpoint ID, not the VPC itself. A helpful memory tip is to think "gateway for S3, source Vpce for security," ensuring you pair the private connectivity of a gateway endpoint with the explicit endpoint-level restriction in the bucket policy.

SAA-C03 Design Secure Architectures Practice Question

This SAA-C03 practice question tests your understanding of design secure architectures. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Route table for private subnet:
Destination        Target
10.0.0.0/16        local
pl-68a54001        vpce-s3-gateway

S3 bucket policy draft:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRequestsNotFromEndpoint",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
      "Condition": {
        "StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
      }
    }
  ]
}

Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change

Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit

Route table for private subnet:
Destination        Target
10.0.0.0/16        local
pl-68a54001        vpce-s3-gateway

S3 bucket policy draft:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRequestsNotFromEndpoint",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
      "Condition": {
        "StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
      }
    }
  ]
}

Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use the S3 gateway VPC endpoint and keep the bucket policy that denies requests unless aws:SourceVpce matches the approved endpoint.

Option A is correct because an S3 gateway VPC endpoint allows EC2 instances in private subnets to access S3 without traversing the internet or requiring a NAT gateway. By adding a bucket policy condition that denies access unless `aws:SourceVpce` matches the approved VPC endpoint ID, you ensure that only requests originating from that specific endpoint are allowed, meeting the security requirement.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use the S3 gateway VPC endpoint and keep the bucket policy that denies requests unless aws:SourceVpce matches the approved endpoint.

    Why this is correct

    For S3, a gateway VPC endpoint is the correct private-connectivity option for EC2 instances in private subnets. The route table sends S3 prefix-list traffic to the gateway endpoint, so requests stay on the AWS network instead of traversing a NAT gateway or the public internet. The bucket policy condition on aws:SourceVpce then ensures that even valid AWS-authenticated requests are accepted only when they arrive through the approved endpoint ID.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use an interface VPC endpoint for S3 only, because gateway endpoints cannot be used with bucket policies.

    Why it's wrong here

    Gateway endpoints are the standard and recommended private-connectivity mechanism for S3 from EC2 instances in VPCs, and they can absolutely be combined with S3 bucket policies. The claim that gateway endpoints cannot be used with bucket policies is incorrect. In fact, aws:SourceVpce is a common condition key used specifically to restrict access to a particular endpoint.

  • Add a NAT gateway and remove the bucket policy condition because the NAT route will automatically secure the S3 traffic.

    Why it's wrong here

    A NAT gateway provides outbound internet access for private subnets, but it does not keep S3 traffic private in the way a VPC endpoint does. It also does not enforce endpoint-based authorization. This option fails both requirements: it introduces internet egress and removes the access control that limits the bucket to the approved endpoint.

  • Move the bucket policy restriction to a security group attached to the S3 bucket so only the VPC endpoint can reach it.

    Why it's wrong here

    Security groups do not apply to S3 because S3 is a managed regional service, not an ENI-backed resource in your VPC. S3 access is controlled with IAM, bucket policies, endpoint policies, and condition keys such as aws:SourceVpce. The correct enforcement point is the bucket policy, not a security group.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse gateway endpoints with interface endpoints, assuming gateway endpoints cannot enforce bucket policies, or they mistakenly think security groups can be applied to S3 buckets, leading them to choose option D.

Detailed technical explanation

How to think about this question

Gateway VPC endpoints use prefix lists and route table entries to direct S3 traffic through AWS’s internal network without leaving the AWS backbone, ensuring low latency and no data transfer costs. The `aws:SourceVpce` condition key in the bucket policy evaluates the VPC endpoint ID from which the request originates, providing granular control even when multiple endpoints or accounts are involved. In real-world scenarios, this design is critical for compliance frameworks like PCI DSS that require traffic to remain within AWS’s private network.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design Secure Architectures — This question tests Design Secure Architectures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Use the S3 gateway VPC endpoint and keep the bucket policy that denies requests unless aws:SourceVpce matches the approved endpoint. — Option A is correct because an S3 gateway VPC endpoint allows EC2 instances in private subnets to access S3 without traversing the internet or requiring a NAT gateway. By adding a bucket policy condition that denies access unless `aws:SourceVpce` matches the approved VPC endpoint ID, you ensure that only requests originating from that specific endpoint are allowed, meeting the security requirement.

What should I do if I get this SAA-C03 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.