AWS Certified Solutions Architect – Associate (SAA-C03) — Question 566

A solutions architect needs to ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet.

Which combination of steps should the solutions architect take to meet this requirement? (Choose two.)

Answer options

• A. Create a route table entry for the endpoint.
• B. Create a gateway endpoint for DynamoDB.
• C. Create an interface endpoint for Amazon EC2.
• D. Create an elastic network interface for the endpoint in each of the subnets of the VPC.
• E. Create a security group entry in the endpoint's security group to provide access.

Correct answer: A, B

Explanation

To establish a private connection to Amazon DynamoDB from a VPC, a gateway VPC endpoint must be created, which routes traffic internally without using the public internet. Once created, the VPC route tables must be updated with an entry that automatically directs DynamoDB-bound traffic through this gateway. Options C, D, and E are incorrect because gateway endpoints do not use elastic network interfaces (ENIs) or security groups, unlike interface endpoints.