Which combination of changes should the Solutions Architect make to improve the solution’s security?
(Choose two.)
Configure Lambda to assume a role in the management account with appropriate access to AWS.
Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.
Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials.
Use an SCP on the management account’s OU to prevent IAM users from accessing resources in the Service team’s account.
Enable AWS Shield Advanced on the management account to shield sensitive resources from unauthorized IAM access.
Explanations:
Configuring Lambda to assume a role in the management account provides a more secure way to manage permissions. Instead of hardcoding IAM credentials, using roles allows for temporary security credentials, reducing the risk of credential exposure.
Using AWS Secrets Manager to store database credentials provides secure storage and management of sensitive information. It also allows for automatic rotation of credentials, ensuring that the application always uses valid credentials without manual intervention.
While rotating credentials is a good practice, creating a Lambda function to rotate credentials every hour by deploying a new version is inefficient and could introduce complexity and potential downtime. Proper use of AWS Secrets Manager already handles credential rotation effectively.
Using Service Control Policies (SCPs) to prevent IAM users from accessing resources in the Service team’s account does not address the root issue of hardcoded credentials in the Lambda function. It is more focused on restricting access than securing the credentials themselves.
Enabling AWS Shield Advanced is primarily focused on protecting applications from DDoS attacks. It does not directly enhance the security of IAM access or credential management within Lambda functions or AWS accounts.