A SysOps administrator needs a secure way to connect to AWS Key Management Service (AWS KMS) within a VPC.The SysOps administrator must ensure that connections to AWS KMS do not traverse the internet.
What is the MOST secure solution that meets these requirements?
Use a bastion host to connect to AWS KMS.
Use a NAT gateway to connect to AWS KMS.
Use a VPC gateway endpoint for Amazon S3 to connect to AWS KMS.
Use a VPC interface endpoint to connect to AWS KMS.
Explanations:
A bastion host is used for SSH access to instances within a VPC and does not connect to AWS KMS directly.
A NAT gateway enables internet traffic for private subnets, which does not prevent internet traversal.
A VPC gateway endpoint for Amazon S3 allows private connectivity to S3, not AWS KMS.
A VPC interface endpoint for AWS KMS enables private connections to KMS within a VPC, avoiding internet traversal.