Question 535 of 1,546
Networking and Content DeliverymediumMultiple ChoiceObjective-mapped

Quick Answer

The correct solution is to create an S3 VPC Gateway Endpoint in the VPC and associate it with the route tables of the private subnets. This works because a Gateway Endpoint uses AWS’s internal network to route traffic directly to S3, ensuring that data never leaves the Amazon network or traverses the internet, which eliminates both internet egress charges and the need for a NAT gateway or internet gateway. On the AWS Certified SysOps Administrator Associate SOA-C02 exam, this scenario tests your understanding of cost-optimized private connectivity—a common trap is choosing an Interface Endpoint or a NAT gateway, which incur additional hourly and data processing costs. Remember that Gateway Endpoints are free to use and only charge for data transfer within the same region, making them the most cost-effective choice for S3 access from private subnets. A helpful memory tip: “Gateway for S3, Interface for everything else”—if the service is S3 or DynamoDB, always think Gateway Endpoint first.

SOA-C02 Networking and Content Delivery Practice Question

This SOA-C02 practice question tests your understanding of networking and content delivery. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has an Amazon VPC with public and private subnets across two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an Amazon S3 bucket to upload and download files. The SysOps administrator must ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

Question 1mediummultiple choice
Review the full subnetting walkthrough →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create an S3 VPC Gateway Endpoint in the VPC and associate it with the route tables of the private subnets.

Option A is correct because an S3 VPC Gateway Endpoint provides a private, cost-effective connection to S3 from within the VPC without traversing the internet. By associating the endpoint with the route tables of the private subnets, traffic destined for S3 is routed directly through AWS's internal network, avoiding data transfer costs and internet egress charges.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create an S3 VPC Gateway Endpoint in the VPC and associate it with the route tables of the private subnets.

    Why this is correct

    Gateway Endpoints provide private connectivity to S3 at no additional cost (only standard data transfer rates apply). By adding a route for the S3 prefix list to the private subnet route tables, traffic destined for S3 is routed through the endpoint.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Create an S3 VPC Interface Endpoint in the VPC and associate it with the security groups of the private subnets.

    Why it's wrong here

    Interface Endpoints use AWS PrivateLink and incur hourly charges and data processing fees, making them more expensive than Gateway Endpoints for S3 access.

  • Set up a NAT Gateway in the public subnets and add a route to the private subnets' route tables pointing to the NAT Gateway for S3 traffic.

    Why it's wrong here

    NAT Gateways allow outbound internet access but traffic to S3 would still go over the internet. NAT Gateways also incur hourly and data processing charges, increasing costs.

  • Use AWS PrivateLink with an S3 endpoint service hosted in a different VPC.

    Why it's wrong here

    AWS PrivateLink for S3 is available via Interface Endpoints, but using an endpoint service from another VPC is not the standard way to connect to S3 and adds unnecessary complexity and cost.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse Gateway Endpoints with Interface Endpoints, assuming both are equally suitable for S3, but Gateway Endpoints are free and optimized for S3 and DynamoDB, while Interface Endpoints incur costs and are better for other AWS services.

Detailed technical explanation

How to think about this question

An S3 VPC Gateway Endpoint uses prefix lists and route table entries to route S3 traffic (destination 0.0.0.0/0 for S3 prefix) through AWS's global network, leveraging the S3 service's regional endpoints. Under the hood, the endpoint does not use an ENI but instead adds a route in the subnet's route table that points to the gateway endpoint ID, ensuring traffic stays within the AWS backbone. This is particularly beneficial for high-volume S3 workloads, as it eliminates NAT Gateway hourly charges and data processing fees.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SOA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SOA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SOA-C02 question test?

Networking and Content Delivery — This question tests Networking and Content Delivery — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Create an S3 VPC Gateway Endpoint in the VPC and associate it with the route tables of the private subnets. — Option A is correct because an S3 VPC Gateway Endpoint provides a private, cost-effective connection to S3 from within the VPC without traversing the internet. By associating the endpoint with the route tables of the private subnets, traffic destined for S3 is routed directly through AWS's internal network, avoiding data transfer costs and internet egress charges.

What should I do if I get this SOA-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SOA-C02 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SOA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SOA-C02 exam.