An application is deployed on EC2 instances inside a private VPC subnet.
The application uses KMS CMK to encrypt and decrypt data.
Regulatory requirements specify that all data must not traverse over the public internet.
Which solution option satisfies these requirements most efficiently?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: A.
Option A is CORRECT because a VPC Interface Endpoint enables a private connection between VPC to KMS service without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
Option B is incorrect because VPC Gateway Endpoint supports Amazon S3 and Amazon DynamoDB services and not the KMS Service.
Option C is incorrect because a NAT gateway enables instances inside a private subnet to communicate to the public internet.
It does not satisfy the regulatory requirement.
Option D is incorrect because AWS Direct Connect is used to connect a customer from on-premises to AWS services over a private dedicated network and does not fulfill the ask.
Option E is incorrect because the proxy server acts as a gateway between you and the internet.
It's an intermediary server separating end users from the websites they browse over the public network.
Hence it does not satisfy the regulatory requirement.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.htmlThe most efficient solution to meet the regulatory requirements of not allowing data to traverse over the public internet is to access KMS (Key Management Service) via a VPC (Virtual Private Cloud) Interface Endpoint.
Explanation: When an application is deployed on EC2 instances inside a private VPC subnet, the communication between the EC2 instances and the KMS service should be secure and private. Accessing the KMS service over the public internet is not secure and violates regulatory requirements.
To ensure a secure connection between the EC2 instances and KMS service, AWS provides several solutions. The available options are:
A. Access KMS via a VPC Interface Endpoint: This is the most efficient solution. A VPC Interface Endpoint is an elastic network interface (ENI) that enables private communication between VPCs and AWS services over the Amazon network. A VPC Interface Endpoint for KMS is created in the same VPC where the application is deployed. This solution does not require a gateway, NAT instance, or Direct Connect connection, providing the most efficient and secure solution.
B. Access KMS via a VPC Gateway Endpoint: A VPC Gateway Endpoint is a gateway that is a target for a specified route in a VPC route table for traffic destined to a supported AWS service. A VPC Gateway Endpoint for KMS is created in the same VPC where the application is deployed, and it allows communication over a private connection to the KMS service. This solution requires a gateway and additional configuration.
C. Access KMS via a NAT Gateway: A NAT Gateway is a managed network address translation (NAT) service that provides a public IP address for outbound internet traffic from resources in a private subnet. A NAT Gateway for KMS is created in the same VPC where the application is deployed. This solution requires a NAT instance or a NAT gateway to route traffic from the private subnet to the internet.
D. Access KMS via an AWS Direct Connect: AWS Direct Connect is a service that enables dedicated network connections from on-premises infrastructure to AWS. A Direct Connect connection for KMS is created between the customer's network and the AWS network. This solution requires additional configuration and resources.
E. Access KMS via a proxy server: A proxy server can be used to route traffic from the private subnet to the internet. This solution requires additional configuration and resources.
In conclusion, the most efficient solution to access KMS when an application is deployed on EC2 instances inside a private VPC subnet is to use a VPC Interface Endpoint.