AWS Certified Security - Specialty SCS-C02 Exam - Question 94

Question

A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet.

A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials.

The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instance's security group to allow connections from this function. When the function is invoked, the function cannot communicate with Secrets Manager to rotate the secret properly.

What should the security engineer do so that the function can rotate the secret?

Examice · Accepted Answer

To allow the Lambda function in the VPC to communicate with AWS Secrets Manager without using the internet, the best approach is to configure a Secrets Manager interface VPC endpoint. This endpoint allows secure, private communication between the Lambda function and Secrets Manager over the AWS network without needing an internet gateway, NAT gateway, or VPC peering connection. Including the Lambda function's private subnet during the configuration process ensures that the function can reach Secrets Manager to rotate the DB instance credentials.

Aamee · Answer

D looks legit.

oioi · Answer

correct

[Removed] · Answer

D is the winner

Daniel76 · Answer

https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html

navid1365 · Answer

Since the RDS instance is in a private subnet without internet access, you need to configure a VPC endpoint.

c6ed25a · Answer

Since no internet we can only think of VPC Endpoint

AWS Certified Security - Specialty SCS-C02 Exam - Question 94

Discussion