Exam AWS Certified Security - Specialty topic 1 question 384 discussion

B is correct https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html

Only B makes sense to me... VPC endpoint

B https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/vpc-interface-endpoints.html "All RDS API operations relevant to managing Amazon Aurora resources are available from your VPC using AWS PrivateLink."

A VPC endpoint is considered more secure than other options because it allows you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. This means that traffic between your VPC and the service does not leave the Amazon network, reducing the risk of data interception by malicious actors .

I would say A as it is the only answer that makes sense while addressing the need for the RDS to be private

The MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database is option A: Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC. Configure the Lambda functions to use the Aurora database’s new private IP address to access the database. Configure the Aurora database's security group to allow access from the private IP addresses of the Lambda functions. This option ensures that the Aurora database is not publicly accessible by moving it to a private subnet with no internet access routes. The Lambda functions can then access the database using its private IP address. The security group for the Aurora database can be updated to allow access only from the private IP addresses of the Lambda functions, which limits access to the database to only the Lambda functions that require it.

The question says no DB should be publicly accessable, with option B the DB is still punlicly accessible. So doesnt the answer should be A?

Would have said A if there was a VPC peering, so went with B.

"publicly accessible Amazon Aurora MySQL database" = noncompliant as "company’s security policy states that no database should be publicly accessible" Unless I am mistaken, nothing in B makes this database publicly inaccessible ? A makes the database publicly inaccessible and meets the 'MOST secure way' requirement. C and D are nonsensical

B is the answer. Both services can access through VPC's using the VPC endpoints. https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html

I guess the problem with A is the IP addresses of the Lambda functions as sources? The answer says to allow access but it doesn't say we need to actually know the IP addresses so maybe this is okay as when we configure a Lambda function to access the Aurora subnet we choose a security group during configuration ? B confuses me. I'm ok with the RDS service endpoint in the Aurora private subnet but aren't Lambda functions in a VPC owned by the Lambda service? Are we even able to configure an interface VPC endpoint in the Lambda service owned VPC? It looks to me like connectivity from the Lambda service owned VPC to an account VPC (where the Aurora instances are) would use Hyperplane ENIs created by Lambda as needed. https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html

Answer B

I also have B as the answer

I'd say B by elimination...