Which combination of the following actions MOST satisfies this requirement?
(Choose two.)
Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company’s VPC endpoint ID.
Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
Create a VPC endpoint for AWS KMS with private DNS enabled.
Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
Add the following condition to the AWS KMS key policy: “aws:SourceIp”: “10.0.0.0/16”.
Explanations:
Adding theaws:sourceVpcecondition to the KMS key policy ensures that KMS requests can only come from the VPC endpoint, ensuring traffic stays within AWS private network.
Removing the VPC internet gateway and adding a virtual private gateway does not directly address the requirement for private communication with KMS over a VPC endpoint.
Creating a VPC endpoint for KMS with private DNS enabled ensures that all communication between the VPC and KMS remains private and does not use public endpoints.
Using the KMS Import Key feature over a VPN is not relevant to the requirement of ensuring that communications between VPC and KMS stay within AWS’s private network.
Theaws:SourceIpcondition in the KMS key policy is used to restrict access based on IP ranges, which does not enforce traffic to stay within the AWS network, as it can still use public endpoints.