VPC Endpoints for DynamoDB enables you to have all network traffic between your Amazon Virtual Private Cloud (VPC) and Amazon DynamoDB stay within the AWS cloud instead of traversing the public internet.
DynamoDB offers data protection and security using TLS endpoints for encryption-in-transit, a client-side encryption library, and fine-grained access control using AWS Identity and Access Management (IAM), providing control at the item and attribute level. VPC Endpoints for DynamoDB further improves privacy and security, especially for applications with strict compliance and audit requirements, or that handle sensitive data.
If you’re connecting to DynamoDB from a VPC, here are four reasons that make using VPC Endpoints for DynamoDB a no-brainer. First, while normal charges apply for NAT gateway access, there is no additional cost for using VPC Endpoints for DynamoDB. Second, with VPC Endpoints for DynamoDB, you do not need an Internet gateway or NAT gateway. This ensures your VPC remains closed and isolated from the public Internet. Third, VPC endpoints offer simplified network configuration that removes the need for you to set up and maintain firewalls to keep you VPC secure from network attacks. Fourth, you can use IAM policies to allow DynamoDB access through VPC endpoints only from your corporate network, and only from specific applications.