How should the company meet these requirements?
Create a VPC endpoint for Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.
Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.
Create a new TLS certificate in AWS Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.
Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.
Explanations:
Creating a VPC endpoint for Kinesis Data Firehose allows the on-premises application to connect to the Firehose stream over a private network, fulfilling the requirement for data to be encrypted in transit. The VPC endpoint enables secure and private connectivity without traversing the public internet.
Configuring an IAM policy to restrict access using a source IP condition does not ensure that the data is transmitted over a private network. This option may limit access but does not encrypt data in transit or ensure it travels over a private connection.
Creating a public-facing Network Load Balancer (NLB) with a TLS certificate exposes the Kinesis Data Firehose to the public internet, which contradicts the requirement for using a private network for data transmission. This option does not ensure private connectivity or comply with the security policy.
Peering the on-premises network with the Kinesis Data Firehose VPC using Direct Connect is not a valid approach because Kinesis Data Firehose does not support VPC peering directly. Instead, a VPC endpoint should be used to enable private connectivity to the Firehose delivery stream.