A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use?
Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.
Why this answer
Interface VPC endpoints (AWS PrivateLink) enable private connectivity to Systems Manager Parameter Store by creating an elastic network interface in the subnet with a private IP, allowing the application to read parameters without traversing the internet. Gateway VPC endpoints for S3 provide private access to S3 objects via route table entries, using the S3 public IP space but staying within the AWS network, avoiding the need for an internet gateway or NAT gateway.
Exam trap
The trap here is that candidates often confuse gateway endpoints (used for S3 and DynamoDB) with interface endpoints (used for most other AWS services), and may incorrectly assume a NAT gateway or internet gateway is needed for private subnet outbound traffic, ignoring that gateway endpoints work via route tables without public IPs.