AWS Certified Database – Specialty — Question 188

A company uses AWS Lambda functions in a private subnet in a VPC to run application logic. The Lambda functions must not have access to the public internet. Additionally, all data communication must remain within the private network. As part of a new requirement, the application logic needs access to an Amazon DynamoDB table.

What is the MOST secure way to meet this new requirement?

Answer options

• A. Provision the DynamoDB table inside the same VPC that contains the Lambda functions
• B. Create a gateway VPC endpoint for DynamoDB to provide access to the table
• C. Use a network ACL to only allow access to the DynamoDB table from the VPC
• D. Use a security group to only allow access to the DynamoDB table from the VPC

Correct answer: B

Explanation

The most secure way to access the DynamoDB table without exposing the Lambda functions to the internet is to create a gateway VPC endpoint for DynamoDB, as it allows private connectivity directly from the VPC. Options A, C, and D do not provide the same level of security and control, as A would not eliminate public internet access, while C and D do not ensure private connectivity without internet exposure.