AWS Certified Security – Specialty — Question 248

A company's on-premises networks are connected to VPCs using an AWS Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.
How should the company meet these requirements?

Answer options

• A. Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
• B. Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
• C. Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
• D. Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

Correct answer: A

Explanation

Creating a VPC endpoint for Kinesis Data Firehose ensures that data is transmitted over a private network, meeting the security requirement for encryption in transit. The other options either do not provide a private connection or do not focus on the necessary encryption, making them less suitable for the company's security policy.