AWS Certified Security – Specialty — Question 402

A company plans to use AWS CodeDeploy to deploy code to multiple Amazon EC2 instances in a VPC at the same time. The company needs to allow the CodeDeploy service to communicate with the instances in the VPC without going through the public internet for CodeDeploy API operations.

What should a security engineer do to meet this requirement?

Answer options

• A. Use a NAT gateway in the VPC.
• B. Use an interface VPC endpoint for CodeDeploy API operations.
• C. Use a gateway VPC endpoint for CodeDeploy API operations.
• D. Use a VPN connection to the VPC.

Correct answer: B

Explanation

An interface VPC endpoint powered by AWS PrivateLink allows private connectivity between Amazon EC2 instances in a VPC and AWS CodeDeploy without requiring an internet gateway or NAT gateway. Gateway VPC endpoints are not supported for CodeDeploy, as they only support Amazon S3 and DynamoDB. Using a NAT gateway or VPN connection would not meet the requirement of keeping the API traffic entirely off the public internet or is not the correct architectural pattern for this private service connection.