Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 562 discussion

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html

The reasons are: A gateway endpoint for DynamoDB enables private connectivity between DynamoDB and the VPC. This allows EC2 instances to access DynamoDB APIs without traversing the internet. A security group entry is needed to allow the EC2 instances access to the DynamoDB endpoint over the VPC. An interface endpoint is used for services like S3 and Systems Manager, not DynamoDB. Route table entries route traffic within a VPC but do not affect external connectivity. Elastic network interfaces are not needed for gateway endpoints.

A & B are correct https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html E is incorrect. There's no need for security group. From the URL above: "Once the VPC subnet’s gateway endpoint has been granted access to DynamoDB, any AWS account with access to that subnet can use DynamoDB."

Creating the gateway endpoint and edit the route table is enough, there are no secruity group involved

AB https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html

C & D are both not relevant. D looks ok but DynamoDB doesn't go with security group, it only allows route table for VPC endpoint. Link here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html

DynamoDB can only be connected via Gateway endpoint (just like S3) route table for connecting the VPC tor the endpoint So do B then A C: interface endpoint for EC2 to what? D: ENI not applicable here for VPC E: Incomplete option as to access to what?

go through this video it will show the answer is AB https://www.youtube.com/watch?v=8FTnyhklEvU

Gateway Endpoint does not have an ENI, thus it has no security group. Instances have security groups and those must allow access to DynamoDB.

A. Create a route table entry for the endpoint: This is not necessary, as the gateway endpoint itself automatically creates the required route table entries.

Create a gateway endpoint for DynamoDB then create a route table entry for the endpoint

refer to question 555

https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html#vpc-endpoints-routing Traffic from your VPC to Amazon S3 or DynamoDB is routed to the gateway endpoint. Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service.

You can access Amazon DynamoDB from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to DynamoDB.

It is A and B. Not E because security group does not span VPCs.

A and B for sure

B and D.