Your EC2 instances run in private subnets with no NAT gateway. The instances use the AWS SDK to call STS AssumeRole to obtain temporary credentials for other services. Application logs show errors like: "EndpointConnectionError: Could not connect to https://sts.<region>.amazonaws.com".
Which change most directly resolves this while keeping instances private?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Create an interface VPC endpoint for STS (com.amazonaws.<region>.sts) and associate it with the instance subnets and a security group that allows HTTPS.
Interface endpoints provide private, in-VPC connectivity to AWS APIs like STS without requiring internet access or NAT.
Create a gateway VPC endpoint for S3 and route the STS traffic through the S3 endpoint gateway.
Gateway endpoints are for specific services (like S3/DynamoDB) and cannot be used to route STS traffic to the correct API.
Open an inbound rule in the instances’ security group to allow outbound HTTPS to the internet CIDR block directly.
Security groups control allowed traffic, but the subnet route table still needs a path. Without NAT/endpoint routing, traffic cannot reach STS.
Attach an Internet Gateway to the private subnet route table so the STS API can be reached over public internet.
Adding an Internet Gateway to private subnets contradicts the requirement to keep instances private and increases exposure.
Common exam trap
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
CIDR notation defines the prefix length.
The correct answer is: Create an interface VPC endpoint for STS (com.amazonaws.<region>.sts) and associate it with the instance subnets and a security group that allows HTTPS. — When you remove NAT gateway and keep instances in private subnets, AWS public API calls (such as STS) require an in-VPC network path. The correct approach is to create a VPC interface endpoint for STS (com.amazonaws.<region>.sts), then associate it with the subnets and permit HTTPS via the endpoint security group. This provides private connectivity to the STS API without making instances internet-routable. Opening outbound rules or modifying routes to use an Internet Gateway undermines the private-subnet security posture. Why others are wrong: Option B incorrectly attempts to route STS through an S3 gateway endpoint; gateway endpoints are service-specific and do not route arbitrary AWS API traffic. Option C addresses only security group rules; it does not create a route to reach sts.<region>.amazonaws.com. Option D would violate the design constraint by making private subnet instances reachable via public internet routing instead of using endpoints.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.