AWS Certified Solutions Architect – Associate (SAA-C03) — Question 167

An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon DynamoDB table.

What is the MOST secure way to access the table while ensuring that the traffic does not leave the AWS network?

Answer options

• A. Use a VPC endpoint for DynamoDB.
• B. Use a NAT gateway in a public subnet.
• C. Use a NAT instance in a private subnet.
• D. Use the internet gateway attached to the VPC.

Correct answer: A

Explanation

The most secure way to access DynamoDB from private subnets is by using a VPC endpoint, which keeps all traffic within the AWS network. Using a NAT gateway or NAT instance would route traffic through the internet, compromising security and potentially increasing latency. An internet gateway would not be suitable as it allows traffic to leave the AWS network, which contradicts the requirement.