Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 223 discussion

A and D are the best choices because they ensure secure authentication with IAM roles and private connectivity to DynamoDB via a VPC endpoint. B. Attach an IAM user that has sufficient privileges to the EKS pod: IAM users are intended for individuals, not applications. C. Allow outbound connectivity to the DynamoDB table through the private subnets’ network ACLs: While this ensures outbound traffic can reach DynamoDB, it doesn't eliminate the need for internet access unless a VPC endpoint is used. E. Embed the access keys in the Java Spring Boot code: Hardcoding access keys in the application code is a security risk.

After seeing D, I didn't even look at option E. its AD correct

B: Wrong, cannot be a user for EKS C: Not possible as NACL need destination CIDR/ports etc. This is not correct way to connect to DynamoDB E: Not secure AD is correct because you need roles for allowing service permissions and accessing DynamoDB with VPC endpoint is the correct way

The application needs to write data to an Amazon DynamoDB table = Attach an IAM role that has write privileges to the EKS pod Without exposing traffic to the internet = VPC endpoint for DynamoDB

The application needs to write data to an Amazon DynamoDB table = Attach an IAM role that has write privileges to the EKS pod Without exposing traffic to the internet = VPC endpoint for DynamoDB

A. By attaching an IAM role to the EKS pod, you can grant the necessary permissions for the pod to access DynamoDB. The IAM role should have appropriate policies allowing access to the DynamoDB table. D. Creating a VPC endpoint for DynamoDB allows the EKS pod to access DynamoDB privately within the VPC, without the need for internet connectivity. The VPC endpoint provides a direct and secure connection to DynamoDB, eliminating the need for traffic to flow over the internet.

A. By attaching an IAM role to the EKS pod, you can grant the necessary permissions for the pod to access DynamoDB. The IAM role should have appropriate policies allowing access to the DynamoDB table. D. Creating a VPC endpoint for DynamoDB allows the EKS pod to access DynamoDB privately within the VPC, without the need for internet connectivity. The VPC endpoint provides a direct and secure connection to DynamoDB, eliminating the need for traffic to flow over the internet. B is incorrect because attaching an IAM user to the pod is not a recommended approach. IAM users are meant for accessing AWS services through the AWS Management Console or AP. C is incorrect because configuring outbound connectivity through network ACLs would not provide a secure and direct connection to DynamoDB. E is incorrect because embedding access keys in the code is not a recommended security practice. It can lead to potential security vulnerabilities. It is better to use IAM roles or other secure mechanisms for providing access to AWS services.

A & D options fulfill the requirements.

Definitely

A D are the correct options

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html https://aws.amazon.com/about-aws/whats-new/2019/09/amazon-eks-adds-support-to-assign-iam-permissions-to-kubernetes-service-accounts/

A, D is the correct answer.

The correct answer is A,D