Enable Encryption for AWS Direct Connect with DynamoDB
Question
An application in the on-premises location needs to access a DynamoDB table set-up with a Gateway endpoint using AWS Direct Connect.
All data transport between the application and Amazon DynamoDB should be encrypted.
How can you enable such a requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
The AWS Documentation mentions the following.
You can use AWS Direct Connect to establish a dedicated network connection within your network to create a logical connection to public AWS resources, such as an Amazon virtual private gateway IPsec endpoint.
This solution combines the AWS managed benefits of the VPN solution with low latency, increased bandwidth, consistency and an end-to-end, secure connection.
Options A and B are incorrect since just having a VIF alone will not work.
Option C is incorrect since accessing on-premises network needs a VPN connection over public VIF.For more information on such a connectivity option, please refer to the below URL.
https://docs.aws.amazon.com/aws-technical-content/latest/aws-vpc-connectivity-options/aws-direct-connect-plus-vpn-network-to-amazon.htmlPlease also refer to page 741 on the below link on the section "Data Protection in DynamoDB" - the first two paragraphs.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/dynamodb-dg.pdfTo enable encryption between an on-premises application and an Amazon DynamoDB table set up with a Gateway endpoint using AWS Direct Connect, the following steps can be taken:
Set up a Direct Connect Gateway - This allows for multiple VPCs to use the same Direct Connect connection, and also enables access to public resources in the AWS region over Direct Connect.
Set up a Direct Connect Virtual Interface (VI) - This provides a dedicated network connection between the on-premises environment and the VPC where the DynamoDB table is located.
Choose between a private or public VI - A private VI would only allow traffic to resources within the VPC, while a public VI would allow traffic to public resources in the AWS region as well.
Setup VPN Connection - To enable encryption between the on-premises application and the DynamoDB table, a VPN connection can be established over the Direct Connect private VI. This provides an additional layer of security by encrypting the data as it traverses the connection between the on-premises environment and the VPC.
Given the requirement that all data transport between the application and Amazon DynamoDB should be encrypted, the recommended solution would be to setup a VPN connection over a private VI (Option C). This would provide a dedicated and secure network connection between the on-premises application and the DynamoDB table while also ensuring that all data transported between them is encrypted.
