Question #1242
A company has deployed a Java Spring Boot application as a pod that runs on Amazon Elastic Kubernetes Service (Amazon EKS) in private subnets. The application needs to read and write objects to an Amazon S3 bucket. A solutions architect must ensure that the application can interact with the S3 bucket without exposing traffic to the internet.
Which combination of steps should the solutions architect take to accomplish this goal? (Choose two.)
Attach an IAM role that grants S3 permissions to the EKS pod.
Attach an IAM user with S3 access policies to the EKS pod.
Allow outbound connectivity to S3 through the private subnets\u2019 route tables.
Create a Gateway-type VPC endpoint for S3.
Store AWS access keys in environment variables within the application.
Explanation
To enable the EKS pod to interact with S3 without internet access:
- A: IAM roles assigned via IRSA provide secure, temporary credentials to pods, avoiding hardcoded keys.
- D: A Gateway VPC endpoint routes S3 traffic through AWS's internal network, bypassing the public internet.
Why others are incorrect:
- B: IAM users are not recommended for pods; roles are more secure and manageable.
- C: Gateway endpoints automatically update route tables, making manual changes unnecessary.
- E: Storing access keys in environment variables is insecure and violates best practices.
Key Points: Use IRSA for pod permissions and VPC endpoints for private AWS service access.
Answer
The correct answer is: AD