AWS Certified Solutions Architect - Associate

Ultimate access to all questions.

Explanation:

Explanation

Correct Answer: A - Use a VPC endpoint for DynamoDB

Why this is correct:

VPC endpoints provide private connectivity between your VPC and AWS services without requiring internet access, NAT devices, VPN connections, or AWS Direct Connect.
DynamoDB VPC endpoints (Gateway VPC Endpoints) allow EC2 instances in private subnets to access DynamoDB tables without their traffic leaving the AWS network.
This approach is most secure because:
- Traffic stays entirely within the AWS network
- No exposure to the public internet
- No need for NAT devices which could introduce additional attack surfaces
- Direct, private connection to DynamoDB

Why other options are incorrect:

B. Use a NAT gateway in a public subnet:

Requires traffic to go through a NAT gateway, which is less secure than a VPC endpoint
Traffic still traverses AWS infrastructure but not as directly as with VPC endpoints
NAT gateways are primarily for outbound internet access from private subnets

C. Use a NAT instance in a private subnet:

D. Use the internet gateway attached to the VPC:

Would require EC2 instances in private subnets to route traffic through public subnets
Traffic would leave AWS network and go over the public internet
Least secure option as it exposes traffic to potential interception

Key Security Benefits of VPC Endpoints:

Private connectivity: Traffic never leaves AWS backbone
No internet exposure: Eliminates internet-based attack vectors
Simplified security: No need to manage NAT devices or internet gateways
Cost-effective: No data transfer charges for traffic between VPC and DynamoDB within the same region
Performance: Lower latency as traffic stays within AWS network

This solution aligns with AWS best practices for secure, private access to AWS services from resources in private subnets.

Explanation:

Correct Answer: A - Use a VPC endpoint for DynamoDB

Why this is correct:

VPC endpoints provide private connectivity between your VPC and AWS services without requiring internet access, NAT devices, VPN connections, or AWS Direct Connect.
DynamoDB VPC endpoints (Gateway VPC Endpoints) allow EC2 instances in private subnets to access DynamoDB tables without their traffic leaving the AWS network.
This approach is most secure because:
- Traffic stays entirely within the AWS network
- No exposure to the public internet
- No need for NAT devices which could introduce additional attack surfaces
- Direct, private connection to DynamoDB

Why other options are incorrect:

B. Use a NAT gateway in a public subnet:

Requires traffic to go through a NAT gateway, which is less secure than a VPC endpoint
Traffic still traverses AWS infrastructure but not as directly as with VPC endpoints
NAT gateways are primarily for outbound internet access from private subnets

C. Use a NAT instance in a private subnet:

D. Use the internet gateway attached to the VPC:

Would require EC2 instances in private subnets to route traffic through public subnets
Traffic would leave AWS network and go over the public internet
Least secure option as it exposes traffic to potential interception

Key Security Benefits of VPC Endpoints:

Private connectivity: Traffic never leaves AWS backbone
No internet exposure: Eliminates internet-based attack vectors
Simplified security: No need to manage NAT devices or internet gateways
Cost-effective: No data transfer charges for traffic between VPC and DynamoDB within the same region
Performance: Lower latency as traffic stays within AWS network

This solution aligns with AWS best practices for secure, private access to AWS services from resources in private subnets.

No comments yet.

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use a VPC endpoint for DynamoDB.

Use a NAT gateway in a public subnet.

Use a NAT instance in a private subnet.