Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 7 Question 22 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 22
Topic #: 7
[All SCS-C02 Questions]

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Show Suggested Answer Hide Answer
Suggested Answer: C

In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.


Contribute your Thoughts:

Jolene
4 months ago
Jokes aside, the interface VPC endpoint is definitely the most secure choice here. It's the only option that keeps the VPC completely isolated while still allowing the Lambda function to access the Secrets Manager endpoint.
upvoted 0 times
...
Keena
4 months ago
This is a tricky one, but I agree that C is the most secure option. Keeping the VPC isolated from the internet is crucial, and the interface VPC endpoint is the way to do that.
upvoted 0 times
Tequila
4 months ago
Exactly, the interface VPC endpoint is the most secure way to enable communication with the Secrets Manager endpoint.
upvoted 0 times
...
Johnna
4 months ago
Adding a NAT gateway would expose the VPC to the internet, which is not ideal.
upvoted 0 times
...
Kenneth
4 months ago
I agree, keeping the VPC isolated from the internet is important for security.
upvoted 0 times
...
Haydee
4 months ago
I think the best option is to add an interface VPC endpoint to allow access to the Secrets Manager endpoint.
upvoted 0 times
...
...
Isadora
5 months ago
That's a good point, Mollie. Interface VPC endpoint might be a better option for more granular control.
upvoted 0 times
...
Mollie
5 months ago
But wouldn't adding an interface VPC endpoint be more secure? It provides more control over the traffic flow.
upvoted 0 times
...
Tyisha
5 months ago
I agree with Isadora, adding a gateway VPC endpoint would allow access to the Secrets Manager endpoint securely.
upvoted 0 times
...
Tasia
5 months ago
Haha, I'd pick option D just to see the security engineer's face when they realize they've opened their VPC to the whole internet. But seriously, C is the way to go.
upvoted 0 times
Karan
4 months ago
Yeah, adding an interface VPC endpoint would keep the communication within the VPC and not expose it to the internet like option D would.
upvoted 0 times
...
Freeman
4 months ago
I agree, option C is definitely the most secure way to give the Lambda function access to the Secrets Manager endpoint.
upvoted 0 times
...
...
Ardella
6 months ago
Hmm, I'm not sure. Adding a NAT gateway seems like it could work, but it might introduce some unnecessary risks. I'd go with the interface VPC endpoint to be on the safe side.
upvoted 0 times
...
Brandon
6 months ago
I think option C is the most secure choice here. Adding an interface VPC endpoint will allow the Lambda function to communicate with the Secrets Manager endpoint without exposing the VPC to the internet.
upvoted 0 times
Shannan
5 months ago
Yes, adding an interface VPC endpoint is the most secure way to allow communication without internet access.
upvoted 0 times
...
Sunshine
5 months ago
I agree, option C is the best choice for security.
upvoted 0 times
...
...
Isadora
6 months ago
I think the most secure way is to add a gateway VPC endpoint to the VPC.
upvoted 0 times
...

Save Cancel