Question 3
Domain 3: Continuous Improvement for Existing SolutionsA solutions architect is auditing the security setup of an AWS Lambda function for a company. The Lambda function retrieves the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function. The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise. What should the solutions architect recommend to meet these requirements?
Correct answer: A
Explanation
IAM database authentication lets Lambda connect to Aurora without storing long-lived database passwords in environment variables, so a compromised credential has limited value. AWS also says a gateway VPC endpoint for S3 keeps traffic private, meeting the requirement that data must not travel across the internet. The Lambda role can be granted access through IAM, aligning with least privilege.
Why each option is right or wrong
A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Aurora supports IAM database authentication, which replaces static database passwords with short-lived authentication tokens generated from the Lambda execution role; for Aurora MySQL and PostgreSQL this is the documented mechanism to avoid long-lived credentials in environment variables and to reduce blast radius if a secret is exposed. For the S3 path, an S3 gateway VPC endpoint keeps traffic between the VPC and S3 on the AWS network rather than over the public internet, satisfying the no-internet requirement while still allowing the Lambda function to write the aggregated data to the bucket.
B. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.
HTTPS encrypts traffic, but it can still traverse public internet paths without a VPC endpoint.
C. Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
Parameter rotation helps, but still relies on stored database passwords rather than eliminating them.
D. Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials Om Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.
Secrets Manager improves secret handling, but HTTPS alone does not keep S3 traffic off the internet.