Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 5 Question 18 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 18
Topic #: 5
[All SCS-C02 Questions]

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Show Suggested Answer Hide Answer
Suggested Answer: C

In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.


Contribute your Thoughts:

Tambra
6 months ago
I agree. Internet gateway would expose too much. I think C is the best choice.
upvoted 0 times
...
Jolene
6 months ago
Adding an internet gateway seems risky. Option D is out.
upvoted 0 times
...
Letha
6 months ago
Because we need a direct interface for the Lambda function to communicate securely.
upvoted 0 times
...
Pete
6 months ago
Why not B, the gateway VPC endpoint?
upvoted 0 times
...
Letha
7 months ago
Yeah, I think the answer is C, adding an interface VPC endpoint.
upvoted 0 times
...
Tambra
7 months ago
This question about the VPC and Aurora database is interesting.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77