What is the MOST secure way to meet this new requirement?

By:
In: DBS-C01
Tagged:
With: 2 Comments
A company uses AWS Lambda functions in a private subnet in a VPC to run application logic.The Lambda functions must not have access to the public internet.Additionally, all data communication must remain within the private network.As part of a new requirement, the application logic needs access to an Amazon DynamoDB table.

What is the MOST secure way to meet this new requirement?

Provision the DynamoDB table inside the same VPC that contains the Lambda functions

Create a gateway VPC endpoint for DynamoDB to provide access to the table

Use a network ACL to only allow access to the DynamoDB table from the VPC

Use a security group to only allow access to the DynamoDB table from the VPC

Explanations:

DynamoDB is a managed service and cannot be provisioned inside a VPC.

A gateway VPC endpoint allows secure, private communication between the Lambda functions in the VPC and DynamoDB, without using public internet access.

Network ACLs control traffic at the subnet level, but they cannot restrict access to specific AWS services like DynamoDB.

Security groups are stateful and work at the instance level, but DynamoDB does not support security groups for direct access control.

2026-04-05

2 Comments

  1. James
    Author

    It appears that the answer is:
    Create a gateway VPC endpoint for DynamoDB to provide access to the table

  2. Noah
    Author

    To the best of my knowledge, the answer is:
    Create a gateway VPC endpoint for DynamoDB to provide access to the table

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − 10 =