Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663 discussion

We're asked to restrict access to both, RDS and S3, to "the ECS cluster" (not to a subnet or endpoint). Not B: Does not restrict RDS at all. Wording about S3 is unusual. Not C: Would work for S3, but would allow RDS access from whole subnet which may contain other resources besides the ECS cluster Not D: Would allow RDS access from whole subnet which may contain other resources besides the ECS cluster. Would allow S3 access from VPC endpoint which might be accessed by other resources besides the ECS cluster.

Option D is the most comprehensive solution as it leverages VPC endpoints for both Amazon RDS and Amazon S3, along with proper network-level controls to restrict access to only the necessary resources from the ECS cluster.

But security groups allow you to control inbound and outbound traffic at the instance level, while network ACLs offer similar capabilities at the VPC subnet level.

I think the word "restricts" is confusing. But I interpret it as allow the ECS task execution role to access the S3 bucket and deny everything else.

The dataset contains sensitive information, nothing to be done here, just stating that it contains sensitive info.

Why not C? Key point: The question specifically asks to ensure that only the ECS cluster can access the data, which means restricting access to the S3 bucket and RDS database solely to the ECS task execution role. Breakdown of option C: S3 bucket policy: By creating a policy that only allows the ECS task execution role to access the S3 bucket, you effectively limit access to the data stored there. VPC endpoint for RDS: A VPC endpoint creates a private connection to the RDS database, preventing any external access and ensuring that only resources within the VPC can connect. RDS security group update: Further restricting access by configuring the RDS security group to only allow connections from the subnets where the ECS cluster will launch tasks.

I cannot believe how many people vote A. the questions is asking only allow ECS cluster access RDS and access to S3. 2 keys here: 1. security group is usually used to security access between RDS and ECS cluster 2. access data in S3 securely, imemdiately, we should think about S3 VPC Gateway endpoints because this secures the traffic only travel via private network. Answer A is just talking about encrpt data at rest, and that is not what the question is asking about

After reading comments changed to A. D will not protect data at rest it will only give n/w level security

According to me "The dataset contains sensitive information" is the main information that motivate the real requirement which is "The company wants to ensure that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket". So we have to take these two assertions into consideration. And knowing that, as S3 default encryption capabilities, RDS Mysql DB Instance encryption is not active by default (check this link for details https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html ), option A is the best option to meet the requirements of accessing the datasets and the assets only from ECS cluster tasks and preserve, at the same time, data confidentiality and integrity. In other words, option A is the best one to ensure the data protection at REST for S3 and RDS and only accessed by ECS cluster.

Try to chat GPT Please

A seems right

Vote for A. Keywords: “sensitive information” and “data in…” D: only network control, can’t control data access on sensitive information.

I did not get how does D achieves the only access from ECS cluster to S3 VPC endpoint.

A; When Only the ECS task execution role is able to encrypt and decrypt the data in the RDS and in the S3 bucket by means of the KMS key policy, you ensure that nothing else can read or modify the data. B: this answer doesn’t state that only the ECS cluster can reach the data. C: Creating a VPC endpoint for RDS does not mean that only the ECS cluster can reach the data D: The S3 VPC endpoint does not guarantee that only the ECS cluster can reach the data. Also allowing a subnet to have access to the RDS sounds too open to me

Options A and B involve using AWS Key Management Service (AWS KMS) for encryption but do not directly address the requirement to restrict access to the ECS cluster. Option C is not the most direct approach for restricting access to the RDS database, as it focuses on the S3 bucket. Therefore, option D is the most appropriate solution for ensuring that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket.

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink.

C need to restrict access from ECS cluster