AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company has deployed a Java Spring Boot application as a pod that runs on Amazon Elastic Kubernetes Service (Amazon EKS) in private subnets. The application needs to write data to an Amazon DynamoDB table. A solutions architect must ensure that the application can interact with the DynamoDB table without exposing traffic to the internet.
Which combination of steps should the solutions architect take to accomplish this goal? (Choose two.)
Other
Community
UAnonymous
A
Attach an IAM role that has sufficient privileges to the EKS pod.
B
Attach an IAM user that has sufficient privileges to the EKS pod.
C
Allow outbound connectivity to the DynamoDB table through the private subnets' network ACLs.
D
Create a VPC endpoint for DynamoDB.
E
Embed the access keys in the Java Spring Boot code.
Explanation:
Explanation
Correct Answers: A and D
A. Attach an IAM role that has sufficient privileges to the EKS pod. - This is correct because:
- EKS pods should use IAM roles for service accounts (IRSA) to securely access AWS services
- IAM roles provide temporary credentials that rotate automatically, which is more secure than static credentials
- This follows AWS security best practices for containerized applications
D. Create a VPC endpoint for DynamoDB. - This is correct because:
- VPC endpoints (specifically Gateway VPC endpoints for DynamoDB) allow private connectivity between the VPC and DynamoDB
- Traffic stays within the AWS network and doesn't go over the internet
- This enables the application in private subnets to access DynamoDB without internet connectivity
Why other options are incorrect:
B. Attach an IAM user that has sufficient privileges to the EKS pod. - Incorrect because:
- IAM users are for human or programmatic access, not recommended for EKS pods
- Requires managing long-term credentials which is a security risk
- EKS pods should use IAM roles with IRSA instead
C. Allow outbound connectivity to the DynamoDB table through the private subnets' network ACLs. - Incorrect because:
- Network ACLs control traffic at the subnet level, but this doesn't solve the internet exposure issue
- Even with outbound rules, traffic would still go over the internet without a VPC endpoint
- This approach would expose traffic to the internet, violating the requirement
E. Embed the access keys in the Java Spring Boot code. - Incorrect because:
- Hardcoding credentials in application code is a major security anti-pattern
- Credentials can be exposed in source control, logs, or during debugging
- Makes credential rotation difficult and increases security risks
Key Concepts:
- IRSA (IAM Roles for Service Accounts): Allows EKS pods to assume IAM roles using OpenID Connect
- VPC Endpoints for DynamoDB: Gateway endpoints that route DynamoDB traffic through AWS private network
- Private Subnets: Subnets without internet gateways, requiring VPC endpoints for AWS service access
Architecture Design:
- EKS pod → IAM role (via IRSA) → VPC endpoint → DynamoDB
- All traffic stays within AWS network, no internet exposure
Comments
Loading comments...