Securing EC2 Instance Access to KMS Service within AWS Network

Private Subnet Access to KMS Service | AWS Certified Security - Specialty

Prev Question Next Question

Question

You have an EC2 Instance in a private subnet that needs to access the KMS service privately within the AWS network.

Which of the following methods can help to fulfill this requirement, keeping security in perspective?

Answers

A. Use a VPC endpoint.

B. Attach an Internet gateway to the subnet.

C. Attach a VPN connection to the VP.

D. Use VPC Peering.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

Option A is CORRECT because when you use the VPC endpoint, communication between your VPC (EC2 within that) and AWS KMS is conducted entirely within the AWS network.

Option B is incorrect because the requirement is that the EC2 instance can reach KMS within the AWS Network, whereas Internet Gateway is used for EC2 machines to reach the Internet on a public network.

Option C is incorrect because AWS VPN is used for connecting on-premises environments and AWS and does not work within AWS services such as EC2 and KMS.

Option D is incorrect because VPC Peering is used for communication between several VPCs and would not help EC2 to communicate with KMS within the AWS network.

For more information on accessing KMS via an endpoint, please visit the following URL:

https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html

The correct answer is A. Use a VPC endpoint.

Explanation:

When an EC2 instance needs to access a service within AWS, the traffic usually goes over the internet to reach the service. However, in this case, the requirement is to access the KMS service privately within the AWS network, which means that the traffic should not go over the internet. Therefore, we need to find a way to access the KMS service privately within the AWS network.

A VPC endpoint is a service that enables you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or a direct connect connection. Using a VPC endpoint, traffic between your VPC and the KMS service stays within the AWS network and does not go over the internet, thus fulfilling the requirement of accessing the KMS service privately within the AWS network.

Option B, attaching an internet gateway to the subnet, is not the correct answer because the requirement is to access the KMS service privately within the AWS network, and attaching an internet gateway would allow the traffic to go over the internet.

Option C, attaching a VPN connection to the VPC, is not the correct answer because it also allows traffic to go over the internet, which is not required in this scenario.

Option D, using VPC peering, is not the correct answer because it allows communication between two VPCs, and the requirement is to access the KMS service privately within the same VPC.

In summary, the correct option to access the KMS service privately within the AWS network is to use a VPC endpoint.

Prev Question Next Question