What should the security engineer do so that the function can rotate the secret?
Add an egress-only internet gateway to the VPC. Allow only the Lambda function’s subnet to route traffic through the egress-only internet gateway.
Add a NAT gateway to the VPC. Configure only the Lambda function’s subnet with a default route through the NAT gateway.
Configure a VPC peering connection to the default VPC for Secrets Manager. Configure the Lambda function’s subnet to use the peering connection for routes.
Configure a Secrets Manager interface VPC endpoint. Include the Lambda function’s private subnet during the configuration process.
Explanations:
An egress-only internet gateway is used for IPv6 traffic and does not facilitate access to AWS services like Secrets Manager, which requires a different method to communicate securely within a VPC.
A NAT gateway allows outbound internet traffic for resources in a private subnet, but since the requirement is to avoid sending traffic through the internet, using a NAT gateway does not align with the security policy. The Lambda function would still be routing traffic externally.
VPC peering is used to connect two VPCs, but this is not necessary for accessing Secrets Manager. Secrets Manager does not require a peering connection to function; instead, it can be accessed using an interface VPC endpoint.
Configuring a Secrets Manager interface VPC endpoint allows the Lambda function to communicate securely with Secrets Manager without going through the internet. This setup complies with the requirement to keep all traffic within the VPC.