EC2 instances in a private subnet need to access S3, but for security the traffic must not traverse the public internet or a NAT Gateway. What should the architect configure?
A) An Interface VPC endpoint (PrivateLink) for EC2.
B) A Gateway VPC endpoint for S3.
C) A second NAT Gateway.
D) A public IP on each instance.
Correct Answer: B
Explanation: A Gateway VPC endpoint for S3 routes traffic to S3 privately within the AWS network via a route table entry, keeping it off the public internet and avoiding NAT charges. (A) names the wrong service — S3 uses a Gateway endpoint. (C) still routes over the internet. (D) makes instances public.