Answer-first summary for fast verification
Answer: Use a VPC endpoint for DynamoDB.
## Explanation **Correct Answer: A - Use a VPC endpoint for DynamoDB** **Why this is correct:** 1. **VPC endpoints** provide private connectivity between your VPC and AWS services without requiring internet access, NAT devices, VPN connections, or AWS Direct Connect. 2. **DynamoDB VPC endpoints** (Gateway VPC Endpoints) allow EC2 instances in private subnets to access DynamoDB tables without their traffic leaving the AWS network. 3. This approach is **most secure** because: - Traffic stays entirely within the AWS network - No exposure to the public internet - No need for NAT devices which could introduce additional attack surfaces - Direct, private connection to DynamoDB **Why other options are incorrect:** **B. Use a NAT gateway in a public subnet:** - Requires traffic to go through a NAT gateway, which is less secure than a VPC endpoint - Traffic still traverses AWS infrastructure but not as directly as with VPC endpoints - NAT gateways are primarily for outbound internet access from private subnets **C. Use a NAT instance in a private subnet:** - Similar issues as NAT gateway but with additional management overhead - Less secure than VPC endpoints - Requires internet gateway for internet-bound traffic **D. Use the internet gateway attached to the VPC:** - Would require EC2 instances in private subnets to route traffic through public subnets - Traffic would leave AWS network and go over the public internet - Least secure option as it exposes traffic to potential interception **Key Security Benefits of VPC Endpoints:** - **Private connectivity**: Traffic never leaves AWS backbone - **No internet exposure**: Eliminates internet-based attack vectors - **Simplified security**: No need to manage NAT devices or internet gateways - **Cost-effective**: No data transfer charges for traffic between VPC and DynamoDB within the same region - **Performance**: Lower latency as traffic stays within AWS network This solution aligns with AWS best practices for secure, private access to AWS services from resources in private subnets.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon DynamoDB table. What is the MOST secure way to access the table while ensuring that the traffic does not leave the AWS network?
A
Use a VPC endpoint for DynamoDB.
B
Use a NAT gateway in a public subnet.
C
Use a NAT instance in a private subnet.
D
Use the internet gateway attached to the VPC.