Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Solutions Architect - Professional topic 1 question 741 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 741
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company runs an application on AWS. An AWS Lambda function uses credentials to authenticate to an Amazon RDS for MySQL DB instance. A security risk assessment identified that these credentials are not frequently rotated. Also, encryption at rest is not enabled for the DB instance. The security team requires that both of these issues be resolved.
Which strategy should a solutions architect recommend to remediate these security risks?

  • A. Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
  • B. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Modify the DB instance and enable encryption.
  • C. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
  • D. Configure the Lambda function to store and retrieve the database credentials as encrypted AWS Systems Manager Parameter Store parameters. Create another Lambda function to automatically rotate the credentials. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
Reference:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html
by gsw at April 30, 2021, 3:02 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
beebatov
Highly Voted 2 years, 10 months ago
Answer: A Parameter store can store DB credentials as secure string but CANNOT rotate secrets, hence, go with A + Cannot enable encryption on existing MySQL RDS instance, must create a new encrypted one from unencrypted snapshot.
upvoted 21 times
AnonymousJhb
2 years, 5 months ago
https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/#:~:text=Secrets%20Manager%20offers%20built%2Din%20integrations%20for%20rotating%20credentials%20for,rotate%20other%20types%20of%20secrets.
upvoted 1 times
...
...
ExtHo
Highly Voted 2 years, 10 months ago
A https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
upvoted 11 times
...
AYANtheGLADIATOR
Most Recent 1 year, 10 months ago
A for sure.
upvoted 1 times
...
CloudHandsOn
2 years ago
My first answer was A
upvoted 1 times
...
bobsmith2000
2 years, 2 months ago
Selected Answer: A
B and C are wrong because of RDS encryption limitation https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations D is incorrect due to parameter store usage. There's no rotation provided by the service
upvoted 2 times
...
RVD
2 years, 4 months ago
Selected Answer: A
Ans: A
upvoted 1 times
...
KennethTam
2 years, 4 months ago
A is correct
upvoted 1 times
...
ashehzad
2 years, 5 months ago
Selected Answer: A
A is the right answer
upvoted 1 times
...
mattfaz
2 years, 6 months ago
Here is why D cannot be correct: https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/ In the short description of this link - it specifically states that you cannot create an encrypted read-replica from an unencrypted DB. The only way to set encryption on an RDS instance is during deployment of the initial instance or creating a new instance from a snapshot and selecting the Encryption and Key in the parameters page. So that eliminates B,C,D. D is also incorrect since you would not need to create another Lambda function to rotate the keys - this is a feature included in Secrets Manager OOTB.
upvoted 2 times
...
RVivek
2 years, 6 months ago
Answer: A Encrypting a unencrypted instance of DB or creating a encrypted replica of an un encrypted DB instance are not possible Hence A is the only solution possible. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations
upvoted 1 times
...
AzureDP900
2 years, 7 months ago
A is correct
upvoted 1 times
...
rogan1821
2 years, 7 months ago
Selected Answer: A
지금 사용중
upvoted 1 times
...
cldy
2 years, 7 months ago
A. Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
upvoted 2 times
...
RVD
2 years, 7 months ago
Selected Answer: A
RDS has integration with Secret Manger with Key rotation fuction.
upvoted 1 times
...
Gaurav_GGG
2 years, 7 months ago
Answer is A. Secret manager will store and rotate secrets. And need encrypted snapshot to create encryption at rest DB.
upvoted 1 times
...
backfringe
2 years, 8 months ago
AAAAAAAAAAAAAAAAA
upvoted 1 times
...
ByomkeshDas
2 years, 8 months ago
Option A is correct. Because you can't create an encrypted read replica from an unencrypted instance. https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in

Claim Offer Now
286 people claimed it in the last 6 hours