Topic 1 Question 111
A solutions architect is auditing the security setup or an AWS Lambda function for a company. The Lambda function retrieves, the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.
The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the Internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.
What should the solutions architect recommend to meet these requirements?
Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.
Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials from Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.
ユーザの投票
コメント(14)
- 正解だと思う選択肢: A
a little bit confused between A and D but as said by others members D doesn't adress the The question of "data must not travel across the Internet"==> A is the answer
👍 8zozza20232023/01/30 - 正解だと思う選択肢: A
You are correct. Option A: Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC is the best solution.
It is a combination of measures that work together to meet the requirements:
IAM database authentication for the Aurora DB cluster allows for secure and centralized management of access to the database, and eliminates the need to store user credentials in the database.
Deploying a gateway VPC endpoint for Amazon S3 ensures that data does not travel across the internet and is protected by VPC security. Changing the IAM role for the Lambda function allows it to access the database securely via IAM database authentication.
By implementing the above steps, you can ensure that the data is protected in transit and at rest, and that the impact of a compromise of the database credentials is minimized.
👍 4masetromain2023/01/17 - 正解だと思う選択肢: A
Key is - Data must not travel on the internet. Only S3 VPC Endpoints have this feature.
A VPC endpoint allows you to connect privately to S3 from within your Amazon Virtual Private Cloud (VPC) without the need for an internet gateway, NAT device, or VPN connection. Instead, the endpoint provides a direct and secure connection between your VPC and S3 over the Amazon network backbone.
👍 4God_Is_Love2023/03/06
シャッフルモード