AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon DynamoDB table. What is the MOST secure way to access the table while ensuring that the traffic does not leave the AWS network?
Other
Community
UAnonymous
A
Use a VPC endpoint for DynamoDB.
B
Use a NAT gateway in a public subnet.
C
Use a NAT instance in a private subnet.
D
Use the internet gateway attached to the VPC.
Explanation:
Explanation
Correct Answer: A - Use a VPC endpoint for DynamoDB
Why this is correct:
- VPC endpoints provide private connectivity between your VPC and AWS services without requiring internet access, NAT devices, VPN connections, or AWS Direct Connect.
- DynamoDB VPC endpoints (Gateway VPC Endpoints) allow EC2 instances in private subnets to access DynamoDB tables without their traffic leaving the AWS network.
- This approach is most secure because:
- Traffic stays entirely within the AWS network
- No exposure to the public internet
- No need for NAT devices which could introduce additional attack surfaces
- Direct, private connection to DynamoDB
Why other options are incorrect:
B. Use a NAT gateway in a public subnet:
- Requires traffic to go through a NAT gateway, which is less secure than a VPC endpoint
- Traffic still traverses AWS infrastructure but not as directly as with VPC endpoints
- NAT gateways are primarily for outbound internet access from private subnets
C. Use a NAT instance in a private subnet:
- Similar issues as NAT gateway but with additional management overhead
- Less secure than VPC endpoints
- Requires internet gateway for internet-bound traffic
D. Use the internet gateway attached to the VPC:
- Would require EC2 instances in private subnets to route traffic through public subnets
- Traffic would leave AWS network and go over the public internet
- Least secure option as it exposes traffic to potential interception
Key Security Benefits of VPC Endpoints:
- Private connectivity: Traffic never leaves AWS backbone
- No internet exposure: Eliminates internet-based attack vectors
- Simplified security: No need to manage NAT devices or internet gateways
- Cost-effective: No data transfer charges for traffic between VPC and DynamoDB within the same region
- Performance: Lower latency as traffic stays within AWS network
This solution aligns with AWS best practices for secure, private access to AWS services from resources in private subnets.
Comments
Loading comments...