Which security strategy should a database specialist implement to meet these requirements?
Move the QLDB ledger into a private database subnet inside the VPC. Run the Lambda functions inside the same VPC in an application private subnet. Ensure that the VPC route table allows read-only flow from the application subnet to the database subnet.
Create an AWS PrivateLink VPC endpoint for the QLDB ledger. Attach a VPC policy to the VPC endpoint to allow read-only traffic for the Lambda functions that run inside the VPC.
Add a security group to the QLDB ledger to allow access from the private subnets inside the VPC where the Lambda functions that access the QLDB ledger are running.
Create a VPN connection to ensure pairing of the private subnet where the Lambda functions are running with the private subnet where the QLDB ledger is deployed.
Explanations:
QLDB is a fully managed service and cannot be moved into a private subnet inside the VPC. It is accessible over the AWS network, not within the VPC.
AWS PrivateLink provides secure, private connectivity between VPCs and AWS services like QLDB. By using a VPC endpoint with a read-only policy, the Lambda functions can securely access QLDB without leaving the AWS network.
QLDB cannot be associated with security groups as it is a managed service. Security groups apply to EC2 instances, not AWS managed services like QLDB.
A VPN connection is not required for private access to QLDB. QLDB is designed to be accessed via AWS PrivateLink or public endpoints, not through a VPN.
I design that the answer is:
Create an AWS PrivateLink VPC endpoint for the QLDB ledger. Attach a VPC policy to the VPC endpoint to allow read-only traffic for the Lambda functions that run inside the VPC.