AWS Certified SysOps Administrator – Associate (legacy) — Question 740

A SysOps administrator needs a secure way to connect to AWS Key Management Service (AWS KMS) within a VPC. The SysOps administrator must ensure that connections to AWS KMS do not traverse the internet.
What is the MOST secure solution that meets these requirements?

Answer options

• A. Use a bastion host to connect to AWS KMS.
• B. Use a NAT gateway to connect to AWS KMS.
• C. Use a VPC gateway endpoint for Amazon S3 to connect to AWS KMS.
• D. Use a VPC interface endpoint to connect to AWS KMS.

Correct answer: D

Explanation

A VPC interface endpoint, powered by AWS PrivateLink, allows resources inside a VPC to connect privately and securely to AWS KMS without traversing the public internet. NAT gateways route traffic over the internet, which violates the security requirement. VPC gateway endpoints are only compatible with Amazon S3 and DynamoDB, not AWS KMS.