While preparing for the AWS SAA-C03, many candidates get confused by VPC private connectivity patterns. In the real world, this is fundamentally a decision about Zero Trust networking vs. Cost efficiency. Let’s drill into a simulated scenario.
The Scenario #
MediTrack Solutions operates a patient data analytics platform running on Amazon EC2 instances within a Virtual Private Cloud (VPC). Their core data processing service must continuously write anonymized patient records to Amazon S3 and retrieve historical datasets for trend analysis.
Due to HIPAA compliance requirements and their internal Zero Trust Security Framework, the Chief Information Security Officer (CISO) has mandated that all application traffic must never traverse the public internet, even if encrypted.
The infrastructure team must implement a solution that satisfies this security constraint while maintaining operational simplicity.
Key Requirements #
Enable EC2 instances to access Amazon S3 APIs without any traffic flowing through the internet.
The Options #
- A) Configure an S3 Gateway Endpoint in the VPC.
- B) Create the S3 bucket in a private subnet.
- C) Create the S3 bucket in the same AWS Region as the EC2 instances.
- D) Configure a NAT Gateway in the same subnet as the EC2 instances.
Correct Answer #
Option A: Configure an S3 Gateway Endpoint.
Step-by-Step Winning Logic #
S3 Gateway Endpoints are the AWS-native solution for this exact requirement:
- Private Network Routing: Traffic flows through AWS’s internal network backbone, never touching the internet
- Zero Cost: Gateway Endpoints for S3 (and DynamoDB) have no hourly charges or data processing fees
- Route Table Integration: Simply add a route table entry pointing S3 prefix lists to the VPC endpoint
- No Subnet Requirements: Works across all subnets in the VPC where the endpoint is associated
- IAM Policy Control: Can apply resource policies to restrict which VPC/endpoints can access specific S3 buckets
Security Trade-off: This solution provides the highest security (private network only) at the lowest cost ($0), making it a rare “no-brainer” decision in AWS architecture.
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not Option B (S3 bucket in private subnet)?
Fundamental Misunderstanding: S3 is a managed service with a global namespace. Buckets don’t exist “in” VPCs or subnets—they’re regional resources accessed via API endpoints. This option reflects a confusion between VPC-based resources (EC2, RDS) and AWS-managed services (S3, DynamoDB). -
Why not Option C (Same AWS Region)?
Incomplete Solution: While using the same region reduces latency and avoids cross-region data transfer costs ($0.02/GB), it does nothing to prevent traffic from routing through the internet. S3 API calls from EC2 instances without a VPC endpoint will still traverse the IGW (Internet Gateway) and public internet. -
Why not Option D (NAT Gateway in same subnet)?
Cost Trap + Wrong Tool: NAT Gateways are designed for outbound internet access from private subnets, not for AWS service access. Traffic to S3 through a NAT Gateway would still go over the internet. You’d pay ~$32/month/AZ ($0.045/hour) plus $0.045/GB data processing for worse security than the free Gateway Endpoint.
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TD
subgraph VPC["VPC (10.0.0.0/16)"]
subgraph PrivateSubnet["Private Subnet (10.0.1.0/24)"]
EC2[EC2 Instance
App Server]
end
subgraph RouteTable["Route Table"]
LocalRoute["10.0.0.0/16 → local"]
S3Route["pl-xxxxx (S3 prefix) → vpce-xxxxx"]
end
VPCE["S3 Gateway Endpoint
(vpce-xxxxx)"]
end
S3["Amazon S3
(AWS Backbone Network)"]
EC2 -->|"API Call
(s3:PutObject)"| VPCE
VPCE -->|"Private Network
(No Internet)"| S3
RouteTable -.->|Governs| EC2
style VPCE fill:#4CAF50,stroke:#2E7D32,color:#fff
style S3 fill:#FF9800,stroke:#E65100,color:#fff
style EC2 fill:#2196F3,stroke:#0D47A1,color:#fff
Diagram Note: EC2 instances use the VPC route table to automatically direct S3 API calls through the Gateway Endpoint, which routes traffic over AWS’s private network without touching the internet.
🔐 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A: S3 Gateway Endpoint | Low (2 clicks + route table entry) | $0 | ✅ Free ✅ Private network traffic ✅ No architecture changes ✅ Meets compliance |
⚠️ Only works for S3/DynamoDB |
| B: S3 in Private Subnet | N/A | N/A | None | ❌ Architecturally impossible (S3 isn’t VPC-based) |
| C: Same AWS Region | Low | Standard S3 costs (~$23/TB/mo) | ✅ Reduces latency ✅ Avoids data transfer fees |
❌ Traffic still uses internet ❌ Doesn’t meet security requirement |
| D: NAT Gateway | Medium (HA requires 2 AZs) | ~$64/month (2 AZs) + $0.045/GB | ✅ Enables internet access | ❌ Traffic still uses public internet ❌ High cost ❌ Wrong tool for AWS service access |
FinOps Insight: For a workload processing 5TB/month of S3 data:
- Gateway Endpoint: $0 + standard S3 API costs
- NAT Gateway: $64/month + $225 data processing (5000GB × $0.045) = $289/month wasted
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
“For the SAA-C03 exam, when you see ’traffic must not traverse the internet’ + S3 or DynamoDB, immediately select Gateway Endpoint.”
Real World #
In production environments, we typically:
- Use Gateway Endpoints as the default for S3/DynamoDB access (there’s no reason not to—it’s free)
- Combine with Interface Endpoints (PrivateLink) for other AWS services (EC2 API, SSM, CloudWatch) where we need private connectivity ($0.01/hour/AZ + $0.01/GB)
- Apply S3 Bucket Policies to restrict access to specific VPC endpoints:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::meditrack-data/*", "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-1234567890abcdef0" } } }] } - Monitor with VPC Flow Logs to ensure no traffic is accidentally routing through IGWs or NAT Gateways
Gotcha: Gateway Endpoints don’t support cross-region access. If you need to access an S3 bucket in us-east-1 from a VPC in eu-west-1, the traffic will still route through the internet (or you need S3 Cross-Region Replication + local Gateway Endpoints).