How can an application running on private subnet EC2 instances securely access an Amazon DynamoDB table without AWS network egress?