Which combination of steps should the solutions architect take to accomplish this goal?
(Choose two.)
Attach an IAM role that has sufficient privileges to the EKS pod.
Attach an IAM user that has sufficient privileges to the EKS pod.
Allow outbound connectivity to the DynamoDB table through the private subnets’ network ACLs.
Create a VPC endpoint for DynamoDB.
Embed the access keys in the Java Spring Boot code.
Explanations:
Attaching an IAM role to the EKS pod allows the application to assume the role and interact with AWS services like DynamoDB securely without needing to manage access keys. This approach follows AWS best practices for security and allows fine-grained access control.
Attaching an IAM user to the EKS pod is not feasible because IAM users cannot be directly associated with pods. Instead, roles are used for pod access, making this option invalid for enabling pod access to DynamoDB.
Allowing outbound connectivity through the private subnets’ network ACLs is not necessary because VPC endpoints can handle traffic to DynamoDB without the need for public internet access. Additionally, modifying network ACLs would not inherently secure the connection to DynamoDB.
Creating a VPC endpoint for DynamoDB enables private connectivity from the EKS pods to DynamoDB without traversing the internet, thus ensuring that all traffic remains within the AWS network. This approach enhances security and performance.
Embedding access keys in the Java Spring Boot code is a poor security practice as it exposes sensitive information and makes it difficult to manage credentials. Using IAM roles is a more secure method for authentication when accessing AWS services from a pod.
To the best of my knowledge, the answer is:
Attach an IAM role that has sufficient privileges to the EKS pod.