A company is moving its data and applications to AWS during a multiyear migration project. The company wants to securely access data on Amazon S3 from the company's AWS Region and from the company's on-premises location. The data must not traverse the internet. The company has established an AWS Direct Connect connection between its Region and its on-premises location.
Which solution will meet these requirements?
To securely access Amazon S3 data from both the company's AWS Region and on-premises location without traversing the internet, you must use interface endpoints for Amazon S3. Interface endpoints allow you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN, or Direct Connect connection. While gateway endpoints can provide private connectivity within a VPC for services like S3, they do not extend this connectivity to on-premises networks or across AWS Regions. Therefore, the most appropriate solution is to create interface endpoints for Amazon S3.
Ans is C: >>You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3. There is no additional charge for using gateway endpoints. Amazon S3 supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
Amazon VPC interface endpoints enable you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN, or Direct Connect connection. By creating interface endpoints for Amazon S3 in both the AWS Region and the on-premises location, you can securely access data without traversing the internet. Direct Connect Connection: With an AWS Direct Connect connection established between the AWS Region and the on-premises location, the data can flow over the dedicated, private connection rather than going over the public internet.
C . S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. However, if you’re willing to manage a complex custom architecture, you can use proxies. In all those scenarios, where access is from resources external to VPC, S3 interface endpoints access S3 in a secure way. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
Answer seems to be C gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide.
GW Endpoint is only for S3 and DynamoDB, interface endpoint for other services so C is wrong
you can't access gateway endpoint from on-premises
gateway endpoint uses public ip address even if traffic does not directly route thru the internet, also they are no meant to be used from on-premises. Answer is C
Not A, Gateway endpoint can be accessed only from inside the VPC it's in Not B, Transit Gateway alone won't help Not D, KMS has nothing to do with this
CCCCCC
Selected Answer: A https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html Gateway VPC endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. There is no additional charge for using gateway endpoints.
You can't use GW endpoint from on-premises
S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/#:~:text=associated.%20S3%20gateway-,endpoints,-do%20not%20currently
Transit Gateway support inter region. interface gateway not use in S3
com.amazonaws.ap-southeast-1.s3 amazon Interface Interface is now available for S3
Options A, B, and D are not the most suitable for the following reasons: A. Create gateway endpoints for Amazon S3: Gateway endpoints are used for accessing S3 from within a VPC, but they do not extend connectivity to on-premises locations. B. Create a gateway in AWS Transit Gateway: AWS Transit Gateway is designed for routing traffic between VPCs and on-premises networks but is not used as a direct gateway for S3 access. D. Use an AWS Key Management Service (AWS KMS) key: AWS KMS is a key management service and does not provide direct access to S3. It's used for managing encryption keys. Therefore, option C, creating interface endpoints for Amazon S3, is the most appropriate solution for securely accessing S3 from both the AWS Region and the on-premises location.
Gateway endpoints for Amazon S3 Interface endpoints for Amazon S3 In both cases, your network traffic remains on the AWS network. Use Amazon S3 public IP addresses Use private IP addresses from your VPC to access Amazon S3 Use the same Amazon S3 DNS names Require endpoint-specific Amazon S3 DNS names Do not allow access from on premises Allow access from on premises Do not allow access from another AWS Region Allow access from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway Not billed Billed
https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html With AWS PrivateLink for Amazon S3, you can provision interface VPC endpoints (interface endpoints) in your virtual private cloud (VPC). These endpoints are directly accessible from applications that are on premises over VPN and AWS Direct Connect, or in a different AWS Region over VPC peering.
Gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
Please C