What should a database specialist do to resolve this issue while minimizing access to external resources?
Add a route to an internet gateway in the subnet’s route table.
Add a route to a NAT gateway in the subnet’s route table.
Assign a new security group to the EC2 instances with an outbound rule to ports 80 and 443.
Create a VPC endpoint for DynamoDB and add a route to the endpoint in the subnet’s route table.
Explanations:
Adding a route to an internet gateway is unnecessary and insecure for a private subnet. It would allow EC2 instances to access the internet, which is not needed or recommended in this scenario.
A NAT gateway is used to provide internet access for instances in a private subnet. Since the EC2 instances do not need to access the internet but only DynamoDB, this solution is inefficient and exposes unnecessary access to the internet.
Security groups control traffic at the instance level. This option would allow outbound internet access, which is not required to access DynamoDB. The issue lies in connectivity, not security group rules.
A VPC endpoint for DynamoDB allows private communication between EC2 instances in a private subnet and DynamoDB without needing internet access. This solution minimizes exposure to external resources and provides the required connectivity.