exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 741 discussion

A company runs an application on AWS. An AWS Lambda function uses credentials to authenticate to an Amazon RDS for MySQL DB instance. A security risk assessment identified that these credentials are not frequently rotated. Also, encryption at rest is not enabled for the DB instance. The security team requires that both of these issues be resolved.
Which strategy should a solutions architect recommend to remediate these security risks?

  • A. Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
  • B. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Modify the DB instance and enable encryption.
  • C. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
  • D. Configure the Lambda function to store and retrieve the database credentials as encrypted AWS Systems Manager Parameter Store parameters. Create another Lambda function to automatically rotate the credentials. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
beebatov
Highly Voted 3 years, 2 months ago
Answer: A Parameter store can store DB credentials as secure string but CANNOT rotate secrets, hence, go with A + Cannot enable encryption on existing MySQL RDS instance, must create a new encrypted one from unencrypted snapshot.
upvoted 21 times
AnonymousJhb
2 years, 9 months ago
https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/#:~:text=Secrets%20Manager%20offers%20built%2Din%20integrations%20for%20rotating%20credentials%20for,rotate%20other%20types%20of%20secrets.
upvoted 1 times
...
...
ExtHo
Highly Voted 3 years, 2 months ago
A https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
upvoted 11 times
...
AYANtheGLADIATOR
Most Recent 2 years, 3 months ago
A for sure.
upvoted 1 times
...
CloudHandsOn
2 years, 4 months ago
My first answer was A
upvoted 1 times
...
bobsmith2000
2 years, 7 months ago
Selected Answer: A
B and C are wrong because of RDS encryption limitation https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations D is incorrect due to parameter store usage. There's no rotation provided by the service
upvoted 2 times
...
RVD
2 years, 8 months ago
Selected Answer: A
Ans: A
upvoted 1 times
...
KennethTam
2 years, 9 months ago
A is correct
upvoted 1 times
...
ashehzad
2 years, 10 months ago
Selected Answer: A
A is the right answer
upvoted 1 times
...
mattfaz
2 years, 10 months ago
Here is why D cannot be correct: https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/ In the short description of this link - it specifically states that you cannot create an encrypted read-replica from an unencrypted DB. The only way to set encryption on an RDS instance is during deployment of the initial instance or creating a new instance from a snapshot and selecting the Encryption and Key in the parameters page. So that eliminates B,C,D. D is also incorrect since you would not need to create another Lambda function to rotate the keys - this is a feature included in Secrets Manager OOTB.
upvoted 2 times
...
RVivek
2 years, 11 months ago
Answer: A Encrypting a unencrypted instance of DB or creating a encrypted replica of an un encrypted DB instance are not possible Hence A is the only solution possible. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations
upvoted 1 times
...
AzureDP900
2 years, 12 months ago
A is correct
upvoted 1 times
...
rogan1821
2 years, 12 months ago
Selected Answer: A
지금 사용중
upvoted 1 times
...
cldy
3 years ago
A. Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
upvoted 2 times
...
RVD
3 years ago
Selected Answer: A
RDS has integration with Secret Manger with Key rotation fuction.
upvoted 1 times
...
Gaurav_GGG
3 years ago
Answer is A. Secret manager will store and rotate secrets. And need encrypted snapshot to create encryption at rest DB.
upvoted 1 times
...
backfringe
3 years ago
AAAAAAAAAAAAAAAAA
upvoted 1 times
...
ByomkeshDas
3 years ago
Option A is correct. Because you can't create an encrypted read replica from an unencrypted instance. https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...