Question #640
A solutions architect is reviewing the security configuration of an AWS Lambda function that processes user transactions stored in an Amazon RDS PostgreSQL database. The Lambda function and the database reside within the same VPC. Currently, the Lambda function uses environment variables to store the database credentials. Processed data is stored in an Amazon S3 bucket encrypted with SSE-KMS. The company mandates that all data transfers must occur within the AWS network and requires a solution to minimize exposure if database credentials are leaked.
What should the solutions architect recommend to meet these requirements?
Enable IAM database authentication for the RDS PostgreSQL database. Modify the Lambda function's IAM role to grant permissions for IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Enable IAM database authentication for the RDS PostgreSQL database. Modify the Lambda function's IAM role to grant permissions for IAM database authentication. Enforce HTTPS on all connections to Amazon S3 during data transfers.
Store the database credentials in AWS Systems Manager Parameter Store. Configure credential rotation in Parameter Store. Update the Lambda function's IAM role to allow access to Parameter Store. Modify the Lambda function to fetch credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Store the database credentials in AWS Secrets Manager. Configure credential rotation in Secrets Manager. Update the Lambda function's IAM role to allow access to Secrets Manager. Modify the Lambda function to fetch credentials from Secrets Manager. Enforce HTTPS on all connections to Amazon S3 during data transfers.
Explanation
The correct answer is A. Here's why:
- IAM Database Authentication: Replacing static credentials with IAM roles ensures credentials are temporary and tied to the Lambda's IAM role, minimizing exposure if leaked.
- VPC Gateway Endpoint for S3: Ensures data transfers to S3 occur within the AWS network, avoiding public internet exposure.
Why Other Options Are Incorrect:
- B: Enforcing HTTPS secures data in transit but does not guarantee traffic stays within AWS. Without a VPC endpoint, S3 traffic may use the public internet.
- C/D: Storing credentials in Parameter Store/Secrets Manager improves security but still relies on static credentials (even with rotation). IAM authentication is more secure as it eliminates credentials entirely. Additionally, D does not use a VPC endpoint for S3.
Key Points:
- Use IAM authentication for RDS to avoid static credentials.
- VPC endpoints ensure AWS service traffic remains internal.
- HTTPS alone does not enforce AWS network boundaries.
Answer
The correct answer is: A