A large Construction company is storing all design documents in an Amazon S3 bucket. All these large files are critical project documents that need to access frequently during meetings. Currently, users are accessing the Amazon S3 bucket over the internet. Due to performance issues over Internet links, the IT Head is looking for a high-performance, in-transit encrypted link to allow users to access the S3 bucket securely. Also, he wants to ensure that only Amazon S3 buckets are accessed over these links & no other traffic is allowed on these links. Which of the following connectivity option meets this requirement in the easiest way?

Answer options:

A.Use AWS Direct Connect Private VIFs. Use EC2 proxy instance behind a Network Load Balancer to send all traffic towards Amazon S3 using VPC private endpoints.
B.Use a Public VIF, limited to the S3 prefixes, and configure a bucket policy that enforces the use of encryption in transit using the "aws:securetransport" option.
C.Use AWS Direct Connect Public VIFs. Use route -policy on on-premises routers to allow only Amazon S3 IP range to be accessed.
D.Use software VPN to terminate traffic on Amazon EC2 instance. Use EC2 proxy instance behind a Network Load Balancer to send all traffic towards Amazon S3 using VPC private endpoint.

Correct Answer – C
The question asks for the easiest way to solve the requirement given in the question. Therefore, by limiting the IP ranges of the S3 buckets to be accessed, this can be done easily.
Option A is incorrect as EC2 instance size will add limitations to performance & will be costly due to third-party VPN software on this instance.
Option B is incorrect as S3 by itself supports HTTPS for transport-level encryption.
 Refer to page 530 on the below link: https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-dg.pdf 
Option D is incorrect as although this will work this will have performance limitations based upon EC2 instance size.