Amazon DynamoDB | VPC endpoints Flashcards
How does encryption at rest work with DynamoDB Global Tables?
VPC endpoints
Amazon DynamoDB | Database
You can enable encryption at rest on your Global Table replicas. Note that Global Tables uses DynamoDB Streams, which does not yet support Encryption at Rest. As a result, replicated data on DynamoDB Streams will not be encrypted at rest.
What are VPC endpoints for Amazon DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
Amazon Virtual Private Cloud (VPC) is an AWS service that provides users a virtual private cloud, by provisioning a logically isolated section of the AWS Cloud. VPC endpoints for Amazon DynamoDB are logical entities within a VPC that create a private connection between a VPC and DynamoDB without requiring access over the internet, through a network address translation (NAT) device, or a VPN connection. For more information about VPC endpoints, see VPC Endpoints.
Why should I use VPC endpoints for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
In the past, the main way of accessing Amazon DynamoDB from within a VPC was to traverse the internet, which may have required complex configurations such as firewalls and VPNs. VPC endpoints for DynamoDB improve privacy and security for customers, especially those dealing with sensitive workloads with compliance and audit requirements, by enabling private access to DynamoDB from within a VPC without the need for an internet gateway or NAT gateway. In addition, VPC endpoints for DynamoDB support AWS Identity and Access Management (IAM) policies to simplify DynamoDB access control. You can now easily restrict access to your DynamoDB tables to a specific VPC endpoint.
How do I get started using VPC endpoints for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
You can create VPC endpoints for Amazon DynamoDB by using the AWS Management Console, AWS SDK, or AWS Command Line Interface (CLI). You must specify the VPC and existing route tables in the VPC, and describe the IAM policy to attach to the endpoint. A route is automatically added to each of the specified VPC’s route tables.
Do VPC endpoints for DynamoDB ensure that traffic will not be routed outside of the Amazon network?
VPC endpoints
Amazon DynamoDB | Database
Yes, when using VPC endpoints for Amazon DynamoDB, data packets between DynamoDB and your VPC will remain in the Amazon network.
Can I connect to a DynamoDB table in an AWS Region different from my VPC using VPC endpoints for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
No, VPC endpoints can be created only for Amazon DynamoDB tables in the same AWS Region as the VPC.
Do VPC endpoints for DynamoDB limit throughput to DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
No, you will continue to get the same throughput to Amazon DynamoDB as you do today from an instance with a public IP within your VPC.
What is the price of using VPC endpoints for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
There is no additional cost for using VPC endpoints for Amazon DynamoDB.
Can I access DynamoDB Streams using VPC endpoints for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
Currently, you cannot access Amazon DynamoDB Streams using VPC endpoints for Amazon DynamoDB.
I currently use an internet gateway and a NAT gateway to send requests to DynamoDB. Do I need to change my application code when I use a VPC endpoint?
VPC endpoints
Amazon DynamoDB | Database
Your application code does not need to change. Simply create a VPC endpoint, update your route table to point Amazon DynamoDB traffic at the DynamoDB VPC endpoint, and access DynamoDB directly. You can continue using the same code and same DNS names to access DynamoDB.
Can I use one VPC endpoint for both DynamoDB and another AWS service?
VPC endpoints
Amazon DynamoDB | Database
No, each VPC endpoint supports one service. You can create one for Amazon DynamoDB and another for the other AWS service and use both of them in a route table.
Can I have multiple VPC endpoints in a single VPC?
VPC endpoints
Amazon DynamoDB | Database
Yes, you can have multiple VPC endpoints in a single VPC. For example, you can have one VPC endpoint for Amazon S3 and one VPC endpoint for Amazon DynamoDB.
Can I have multiple VPC endpoints for DynamoDB in a single VPC?
VPC endpoints
Amazon DynamoDB | Database
Yes, you can have multiple VPC endpoints for Amazon DynamoDB in a single VPC. Individual VPC endpoints can have different VPC endpoint policies. For example, you could have a VPC endpoint that is read-only and one that is read/write. However, a single route table in a VPC can only be associated with a single VPC endpoint for DynamoDB, because that route table will route all traffic to DynamoDB through the specified VPC endpoint.
What are the differences between VPC endpoints for S3 and VCP endpoints for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
The main difference is that these two VPC endpoints support different services – Amazon S3 and Amazon DynamoDB.
What IP address will I see in AWS CloudTrail logs for traffic coming from the VPC endpoint for DynamoDB?
VPC endpoints
Amazon DynamoDB | Database
AWS CloudTrail logs for Amazon DynamoDB will contain the private IP address of the Amazon EC2 instance in the VPC, and the VPC endpoint identifier (for example, sourceIpAddress=10.89.76.54, VpcEndpointId=vpce-12345678).
