Q23 — AWS SAP-C02 Ch.1
Question 23 of 75 | ← Chapter 1
Q98. A solutions architect is auditing the security setup of an AWS Lambda function for a company. The Lambda function retrieves the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.What should the solutions architect recommend to meet these requirements?
- A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC. ✓
- B. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication.Enforce HTTPS on the connection to Amazon S3 during data transfers.
- C. Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store.Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
- D. Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials from Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.
Correct Answer: A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Explanation
To meet the requirements of securing the AWS Lambda function and minimizing the impact of any compromised database credentials, the solutions architect should recommend the following: A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC. Explanation: Option A suggests using IAM database authentication, changing the IAM role for the Lambda function to allow access to the database using IAM authentication, and deploying a gateway VPC endpoint for Amazon S3: 1. Enable IAM database authentication on the Aurora DB cluster: IAM database authentication allows you to authenticate to your Aurora database using AWS Identity and Access Management (IAM) users and roles instead of using a password. This improves security by eliminating the need to store database credentials in the Lambda environment variables. 2. Change the IAM role for the Lambda function to allow access to the database using IAM authentication: Modify the IAM role associated with the Lambda function to grant it permission to access the Aurora database using IAM authentication. This ensures that the Lambda function can securely authenticate to the database without relying on credentials stored in the environment variables. 3. Deploy a gateway VPC endpoint for Amazon S3 in the VPC: By deploying a gateway VPC endpoint for Amazon S3, you can ensure that data transfer between the Lambda function and the S3 bucket does not traverse the public internet. This helps fulfill the requirement of ensuring that data does not travel across the internet. Options B, C, and D are incorrect because they do not provide an adequate solution for managing and securing the database credentials: Option B suggests enabling IAM database authentication and enforcing HTTPS on the connection to Amazon S3. While these measures improve security, they do not address the issue of securely managing and protecting the database credentials. Option C suggests saving the database credentials in AWS Systems Manager Parameter Store and using a gateway VPC endpoint for Amazon S3. While Parameter Store can store sensitive information, it does not provide the same level of security and access control as Secrets Manager. Additionally, the gateway VPC endpoint for Amazon S3 is not relevant to securing the database credentials. Option D suggests saving the database credentials in AWS Secrets Manager, setting up password rotation, changing the IAM role for the Lambda function to access Secrets Manager, and modifying the Lambda function to retrieve the credentials from Secrets Manager. While Secrets Manager provides a secure way to store and manage secrets, it does not address the requirement of ensuring that data does not travel across the internet. Therefore, the correct solution is option A: Enable IAM database authentication on the Aurora DB cluster, change the IAM role for the Lambda function to allow access using IAM authentication, and deploy a gateway VPC endpoint for Amazon S3. It is passwordless and provides VPC Gateway for S3 data transfer to avoid traffic over the internet.