What should the solutions architect recommend to meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A solutions architect is auditing the security setup of an AWS Lambda function for a company.The Lambda function retrieves the latest changes from an Amazon Aurora database.The Lambda function and the database run in the same VPC.Lambda environment variables are providing the database credentials to the Lambda function.The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS).The data must not travel across the internet.If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.

What should the solutions architect recommend to meet these requirements?

Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.

Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.

Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials Om Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Explanations:

This option enables IAM database authentication, which eliminates the need for static database credentials and uses IAM roles, reducing the risk if credentials are compromised. The gateway VPC endpoint for S3 keeps data transfer within the AWS network, avoiding the public internet.

Although this option enables IAM database authentication, it does not use a VPC endpoint for S3, which could allow data to travel over the internet. Simply enforcing HTTPS on the S3 connection does not ensure traffic stays within AWS, violating the requirement.

Storing credentials in Parameter Store with rotation improves security, but IAM database authentication would be better for secure access. While the S3 VPC endpoint keeps data within AWS, this approach does not fully meet the requirement to reduce credential exposure risk.

Secrets Manager provides password rotation and secure storage, but IAM database authentication is more secure by eliminating the need for static credentials. Also, this option lacks an S3 VPC endpoint, so enforcing HTTPS alone does not meet the requirement to keep data within AWS.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − 16 =