Which solution will meet these requirements?
Use network ACLs to ensure that any outgoing or incoming connections to any port except DynamoDB are deactivated. Encrypt API calls by using TLS.
Create a VPC endpoint for DynamoDB in the application’s VPC. Use the VPC endpoint to access the table.
Create an AWS Lambda function that has access to DynamoDB. Restrict outgoing access only to this Lambda function from the application.
Use a VPN to route all communication to DynamoDB through the company’s own corporate network infrastructure.
Explanations:
Network ACLs control traffic at the subnet level, but they cannot guarantee the reduction of latency for DynamoDB access. Additionally, encrypting API calls using TLS does not address the issue of private connectivity or network latency.
Creating a VPC endpoint for DynamoDB ensures private connectivity between the application in the VPC and DynamoDB, minimizing network latency and improving performance. This setup avoids the public internet and uses the AWS private network.
Using a Lambda function for accessing DynamoDB introduces unnecessary complexity and may increase latency, as the request has to go through an extra service. It also does not directly address the need for private connectivity from the application.
A VPN to route communication to DynamoDB through the corporate network could introduce additional latency and is not necessary since DynamoDB supports VPC endpoints for private communication directly. This would also complicate the network setup without providing a performance benefit.
I plot that the answer is:
Create a VPC endpoint for DynamoDB in the application’s VPC. Use the VPC endpoint to access the table.