AWS Certified Database – Specialty — Question 245

A database administrator is reviewing the deployment of an application that uses Amazon DynamoDB. A fleet of Amazon EC2 application instances accesses the database.

The database administrator notices that EC2 instances are using public IP addresses to access the database and that the database is available to the internet. Company policy requires that all corporate data must be accessed privately and that external access from the internet is not allowed.

Which combination of steps will ensure that the DynamoDB database meets these requirements? (Choose two.)

Answer options

• A. Configure the DynamoDB security group and network ACLs to block external access.
• B. Create an AWS PrivateLink VPC endpoint for DynamoDUpdate the VPC route table.
• C. Create a gateway VPC endpoint for DynamoDB. Update the VPC route table.
• D. Provision a NAT gateway to access DynamoDB. Update the VPC route table.
• E. Use the aws:sourceVpce condition for all the IAM roles that provision access to the table.

Correct answer: C, E

Explanation

The correct answers are C and E. Creating a gateway VPC endpoint for DynamoDB allows private connectivity without using public IPs, ensuring compliance with the policy. Additionally, using the aws:sourceVpce condition in IAM roles ensures that only requests coming from the specified VPC endpoint can access the database, providing an additional layer of security. Options A and B do not fully meet the requirement for private access, and option D introduces unnecessary complexity by using a NAT gateway.