The correct combination is:
1. Attach an IAM role with the required permissions to the EKS pod using IAM roles for service accounts (IRSA).
2. Create a VPC endpoint for DynamoDB.

Explanation:
To avoid routing traffic over the internet, a VPC endpoint for DynamoDB must be created. This ensures all requests to DynamoDB are handled through the AWS private network within the VPC. To securely grant the pod access to DynamoDB, IAM Roles for Service Accounts (IRSA) should be used, allowing the pod to assume a specific IAM role without embedding credentials.

Why the other options are incorrect:

Attaching an IAM user to the pod is not a supported practice in AWS. IAM users are intended for individual human users, not applications or services, and credentials would have to be manually managed.

Allowing outbound traffic through the subnets network ACLs is insufficient on its own. While necessary, it does not ensure that traffic stays privatewithout a VPC endpoint, traffic could still reach DynamoDB via the internet if a NAT gateway or internet gateway is in place.

Embedding access keys in the Java code is a security anti-pattern. It creates significant risk of credential exposure and violates AWS best practices for secure application design.

Why this question is important: It evaluates the candidates understanding of secure communication within a VPC, IAM best practices, and integrating AWS managed services with Kubernetes. These are key areas in modern cloud-native design.

Tip: When working with EKS and AWS services like DynamoDB, prefer IRSA over hardcoded credentials, and always use VPC endpoints to ensure private connectivity.

Full AWS Practitioner Certification Question