Exam AWS Certified Security - Specialty topic 1 question 237 discussion

C and D. C: Create the individual users for each module. D: Grant those users access to perform read and write actions to the Redshift datastore. And yes, Redshift DB users have their own ARN in this format: arn:aws:redshift:region:account-id:dbuser:cluster-name/user-name

A security engineer should configure cluster security groups for each application module to control access to the Redshift database users responsible for read-only and read-write operations. This ensures that each module has its own specific access privileges based on compliance requirements. Additionally, the engineer should configure an IAM policy for each module, specifying the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call. This enables fine-grained access control and grants temporary access credentials to each module based on its IAM role, ensuring secure and scalable access management. D is not ideal because creating local database users for each module does not provide a centralized and scalable approach. It would require managing and maintaining multiple database users separately, which can be cumbersome and less secure compared to using IAM roles for access control.

A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read-write. By configuring cluster security groups, you can define the inbound and outbound rules that control network access to the Amazon Redshift clusters. You can associate the appropriate security groups with each module to restrict access based on the required permissions. C. Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call. IAM policies allow you to define fine-grained permissions for different modules of the application. By specifying the ARN of an Amazon Redshift database user in the IAM policy, you can grant access to specific resources and actions needed for each module. The GetClusterCredentials API call is used to obtain temporary credentials for connecting to the Redshift cluster.

To grant appropriate access to the Amazon Redshift data store for the serverless application hosted on AWS, a security engineer should implement the following two steps: C. Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call. D. Create local database users for each module.CD

AE Option E is a valid solution to grant appropriate access to the separate modules of the serverless application hosted on AWS that uses Amazon Redshift as a data store. By configuring an IAM policy for each module and specifying the ARN of an IAM user that allows the GetClusterCredentials API call, you can enable the application modules to request temporary database credentials that are scoped to a specific cluster database user and have specific permissions. This approach provides separation of duties, as well as centralized management of user access and permissions through IAM.

why not a y b?

So, both C and D provide a solution to control the access to the Redshift tables through specific users per module, option C uses IAM policies to retrieve the credentials for the specific user and D creates the user inside Redshift. Option B and E, on the other hand, focus on controlling access through the network layer and IAM policies respectively. It would depend on your specific use case and compliance requirements which option would be the best fit.

Answer is A&D: Amazon Redshift - Creating Read Only Users 1. First, create a group that will be used for read only access: create group readonly; SQL 2. Revoke default create rights in the public schema: revoke create on schema public from group readonly; SQL 3. Grant usage access in the public schema: grant usage on schema public to group readonly; SQL 4. Grant access to current tables in the public schema: grant select on all tables in schema public to group readonly; SQL 5. Grant access to future tables in the public schema: alter default privileges in schema public grant select on tables to group readonly; SQL 6. Create a user: create user <username> with password '<password>'; SQL 7. Associate the new user and group: alter group readonly add user <username>;

Based on the fact that by default : When you provision an Amazon Redshift cluster, it is locked down by default so nobody has access to it. To grant other users inbound access to an Amazon Redshift cluster, you associate the cluster with a security group. https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html

Option C and D.

CD checks out Redshift DB users have their own ARN in this format: arn:aws:redshift:region:account-id:dbuser:cluster-name/user-name

A - This is the essential request of being able to access the database. B - VPC endpoint is a good security practice but is not essential. Also, "endpoint policy that maps database users" means having IAM user/role access redshift data. It is not nature from my point of view. C - This requires D, and the ARN of the database user sounds weird - back to B? D - local database user is nature to the Redshig (based on PostgreSQL comp) native access control approach. E - For IAM user, there is a need of storing its credential securely. If it is mentioned as IAM role, I will choose this as the third step.

C D - C and D makes the most sense to me, i was surprised to see people selected A, SG is for allowing access , but from the question being "granting access" i think its more permissions wise then network connectivity

I don't think the security group controls the user-level access.

Answer is A & C

Answer: A and D Don't need to create IAM policies for each module. The question is asking about proper access. To do this we need to create the cluster users and make sure the SGs are set up properly.

On actual test as of Jan 14 2022