Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663 discussion

We're asked to restrict access to both, RDS and S3, to "the ECS cluster" (not to a subnet or endpoint). Not B: Does not restrict RDS at all. Wording about S3 is unusual. Not C: Would work for S3, but would allow RDS access from whole subnet which may contain other resources besides the ECS cluster Not D: Would allow RDS access from whole subnet which may contain other resources besides the ECS cluster. Would allow S3 access from VPC endpoint which might be accessed by other resources besides the ECS cluster.

Option D is the most comprehensive solution as it leverages VPC endpoints for both Amazon RDS and Amazon S3, along with proper network-level controls to restrict access to only the necessary resources from the ECS cluster.

I cannot believe how many people vote A. the questions is asking only allow ECS cluster access RDS and access to S3. 2 keys here: 1. security group is usually used to security access between RDS and ECS cluster 2. access data in S3 securely, imemdiately, we should think about S3 VPC Gateway endpoints because this secures the traffic only travel via private network. Answer A is just talking about encrpt data at rest, and that is not what the question is asking about

After reading comments changed to A. D will not protect data at rest it will only give n/w level security

According to me "The dataset contains sensitive information" is the main information that motivate the real requirement which is "The company wants to ensure that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket". So we have to take these two assertions into consideration. And knowing that, as S3 default encryption capabilities, RDS Mysql DB Instance encryption is not active by default (check this link for details https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html ), option A is the best option to meet the requirements of accessing the datasets and the assets only from ECS cluster tasks and preserve, at the same time, data confidentiality and integrity. In other words, option A is the best one to ensure the data protection at REST for S3 and RDS and only accessed by ECS cluster.

Try to chat GPT Please

A seems right

Vote for A. Keywords: “sensitive information” and “data in…” D: only network control, can’t control data access on sensitive information.

I did not get how does D achieves the only access from ECS cluster to S3 VPC endpoint.

A; When Only the ECS task execution role is able to encrypt and decrypt the data in the RDS and in the S3 bucket by means of the KMS key policy, you ensure that nothing else can read or modify the data. B: this answer doesn’t state that only the ECS cluster can reach the data. C: Creating a VPC endpoint for RDS does not mean that only the ECS cluster can reach the data D: The S3 VPC endpoint does not guarantee that only the ECS cluster can reach the data. Also allowing a subnet to have access to the RDS sounds too open to me

Options A and B involve using AWS Key Management Service (AWS KMS) for encryption but do not directly address the requirement to restrict access to the ECS cluster. Option C is not the most direct approach for restricting access to the RDS database, as it focuses on the S3 bucket. Therefore, option D is the most appropriate solution for ensuring that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket.

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink.

C need to restrict access from ECS cluster

Create a VPC endpoint for Amazon RDS for MySQL: This ensures that the ECS cluster can access the RDS database directly within the same Virtual Private Cloud (VPC), without having to go over the internet. By updating the security group to allow access only from the specific subnets that the ECS cluster will generate tasks in, you limit access to only the authorized entities. Create a VPC endpoint for Amazon S3: This allows the ECS cluster to access the S3 bucket directly within the same VPC. By updating the S3 bucket policy to allow access only from the S3 VPC endpoint, you restrict access to the designated VPC, ensuring that only authorized resources can access the S3 bucket.