AWS Certified Solutions Architect - Associate

Ultimate access to all questions.

Explanation:

Explanation

Correct Answers: A and D

A. Attach an IAM role that has sufficient privileges to the EKS pod. - This is correct because:

EKS pods should use IAM roles for service accounts (IRSA) to securely access AWS services
IAM roles provide temporary credentials that rotate automatically, which is more secure than static credentials
This follows AWS security best practices for containerized applications

D. Create a VPC endpoint for DynamoDB. - This is correct because:

VPC endpoints (specifically Gateway VPC endpoints for DynamoDB) allow private connectivity between the VPC and DynamoDB
Traffic stays within the AWS network and doesn't go over the internet
This enables the application in private subnets to access DynamoDB without internet connectivity

Why other options are incorrect:

B. Attach an IAM user that has sufficient privileges to the EKS pod. - Incorrect because:

C. Allow outbound connectivity to the DynamoDB table through the private subnets' network ACLs. - Incorrect because:

Network ACLs control traffic at the subnet level, but this doesn't solve the internet exposure issue
Even with outbound rules, traffic would still go over the internet without a VPC endpoint
This approach would expose traffic to the internet, violating the requirement

E. Embed the access keys in the Java Spring Boot code. - Incorrect because:

Key Concepts:

IRSA (IAM Roles for Service Accounts): Allows EKS pods to assume IAM roles using OpenID Connect
VPC Endpoints for DynamoDB: Gateway endpoints that route DynamoDB traffic through AWS private network
Private Subnets: Subnets without internet gateways, requiring VPC endpoints for AWS service access

Architecture Design:

Explanation:

Correct Answers: A and D

A. Attach an IAM role that has sufficient privileges to the EKS pod. - This is correct because:

EKS pods should use IAM roles for service accounts (IRSA) to securely access AWS services
IAM roles provide temporary credentials that rotate automatically, which is more secure than static credentials
This follows AWS security best practices for containerized applications

D. Create a VPC endpoint for DynamoDB. - This is correct because:

VPC endpoints (specifically Gateway VPC endpoints for DynamoDB) allow private connectivity between the VPC and DynamoDB
Traffic stays within the AWS network and doesn't go over the internet
This enables the application in private subnets to access DynamoDB without internet connectivity

Why other options are incorrect:

B. Attach an IAM user that has sufficient privileges to the EKS pod. - Incorrect because:

C. Allow outbound connectivity to the DynamoDB table through the private subnets' network ACLs. - Incorrect because:

Network ACLs control traffic at the subnet level, but this doesn't solve the internet exposure issue
Even with outbound rules, traffic would still go over the internet without a VPC endpoint
This approach would expose traffic to the internet, violating the requirement

E. Embed the access keys in the Java Spring Boot code. - Incorrect because:

Key Concepts:

IRSA (IAM Roles for Service Accounts): Allows EKS pods to assume IAM roles using OpenID Connect
VPC Endpoints for DynamoDB: Gateway endpoints that route DynamoDB traffic through AWS private network
Private Subnets: Subnets without internet gateways, requiring VPC endpoints for AWS service access

Architecture Design:

No comments yet.

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Attach an IAM role that has sufficient privileges to the EKS pod.

Attach an IAM user that has sufficient privileges to the EKS pod.