AWS Certified Solutions Architect – Associate (SAA-C02) — Question 645

A company hosts an application on AWS. The application uses AWS Lambda functions and stores data in Amazon DynamoDB tables. The Lambda functions are connected to a VPC that does not have internet access.
The traffic to access DynamoDB must not travel across the internet. The application must have write access to only specific DynamoDB tables.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Attach a VPC endpoint policy for DynamoDB to allow write access to only the specific DynamoDB tables.
• B. Attach a security group to the interface VPC endpoint to allow write access to only the specific DynamoDB tables.
• C. Create a resource-based IAM policy to grant write access to only the specific DynamoDB tables. Attach the policy to the DynamoDB tables.
• D. Create a gateway VPC endpoint for DynamoDB that is associated with the Lambda VPC. Ensure that the Lambda execution role can access the gateway VPC endpoint.
• E. Create an interface VPC endpoint for DynamoDB that is associated with the Lambda VPC. Ensure that the Lambda execution role can access the interface VPC endpoint.

Correct answer: A, D

Explanation

To prevent DynamoDB traffic from traversing the public internet from an isolated VPC, a gateway VPC endpoint for DynamoDB should be established (Option D). To restrict the application's write access to only specific DynamoDB tables, a VPC endpoint policy can be attached to the gateway endpoint to enforce these granular permissions (Option A). Security groups cannot restrict access to specific DynamoDB tables (Option B), DynamoDB does not support resource-based policies for this type of access control (Option C), and while interface endpoints exist, a gateway endpoint is the standard, cost-effective solution for routing DynamoDB traffic privately within a VPC (Option E).