A Java Spring Boot application runs as a pod on Amazon EKS in private subnets and needs to write data to an Amazon DynamoDB table without exposing traffic to the internet. Which combination of steps should a solutions architect take to accomplish this? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Attach an IAM role that has sufficient privileges to the EKS pod., Create a VPC endpoint for DynamoDB..
Why this is the answer
To allow an Amazon EKS pod in private subnets to securely access Amazon DynamoDB without internet exposure, two key steps are required. First, create a VPC endpoint for DynamoDB. This establishes a private connection from your VPC to DynamoDB, ensuring traffic remains within the AWS network. Second, attach an IAM role with sufficient permissions (e.g., dynamodb:PutItem, dynamodb:UpdateItem) to the EKS pod. This grants the pod the necessary authorization to interact with DynamoDB. Attaching an IAM user is incorrect because IAM users are for human users or long-lived credentials, not for applications running on EKS. Embedding access keys in code is a security anti-pattern. Network ACLs control traffic, but a VPC endpoint is needed for private connectivity to AWS services.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed