You have an application that is going to be hosted on an EC2 Instance.
The application needs to access Kinesis Data streams.
There is a security mandate that no data should leave the VPC onto the Internet.
Which of the following would help you ensure the application adheres to the security requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
The AWS Documentation mentions the following.
You can use an interface VPC endpoint to keep traffic between your Amazon VPC and Kinesis Data Streams from leaving the Amazon network.
Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
Option A is incorrect because VPC Enhanced Routing is a feature for Amazon Redshift and does not help in this scenario.
Option B is incorrect because the traffic still traverses to the internet with a NAT gateway.
Option C is incorrect because a VPC Endpoint gateway is only used for S3 and DynamoDB.For more information on accessing Kinesis streams via a VPC, please refer to the below URL.
https://docs.aws.amazon.com/streams/latest/dev/vpc.htmlTo ensure that the application adheres to the security mandate that no data should leave the VPC onto the Internet while accessing Kinesis Data streams, you can make use of a VPC Endpoint.
A VPC Endpoint is a service that enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink, without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. It allows traffic to be sent directly from the VPC to the AWS service via a private network connection, without going over the Internet.
There are two types of VPC Endpoints:
Gateway Endpoints: A gateway endpoint is a horizontal scaling service that allows communication between resources in your VPC and a supported AWS service.
Interface Endpoints: An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service.
Among the given options, C and D are the correct choices to ensure that the application adheres to the security requirement.
Option A, Enable VPC Enhanced Routing, is not directly related to the requirement of ensuring that no data leaves the VPC onto the Internet. It helps to route traffic between subnets in a VPC and other AWS services, but it does not prevent traffic from going out of the VPC.
Option B, Make use of a NAT gateway, is also not a correct choice because a NAT gateway is used to enable instances in a private subnet to connect to the Internet or other AWS services but it does not prevent traffic from going out of the VPC.
Therefore, the best options to ensure that the application adheres to the security requirement are either C or D, depending on the type of Kinesis Data streams that the application will access. If the Kinesis Data streams are supported by a VPC Endpoint service, you can use a VPC Endpoint gateway (option C). If the Kinesis Data streams are not supported by a VPC Endpoint service, you can use a VPC Endpoint Interface (option D).