ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 574 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 574
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

During a security audit of a Service team's application, a Solutions Architect discovers that a username and password for an Amazon RDS database and a set of
AWS IAM user credentials can be viewed in the AWS Lambda function code. The Lambda function uses the username and password to run queries on the database, and it uses the IAM credentials to call AWS services in a separate management account.
The Solutions Architect is concerned that the credentials could grant inappropriate access to anyone who can view the Lambda code. The management account and the Service team's account are in separate AWS Organizations organizational units (OUs).
Which combination of changes should the Solutions Architect make to improve the solution's security? (Choose two.)

  • A. Configure Lambda to assume a role in the management account with appropriate access to AWS.
  • B. Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.
  • C. Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials.
  • D. Use an SCP on the management account's OU to prevent IAM users from accessing resources in the Service team's account.
  • E. Enable AWS Shield Advanced on the management account to shield sensitive resources from unauthorized IAM access.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by Nemer at Aug. 12, 2020, 8:38 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
LunchTime
Highly Voted 3 years, 9 months ago
A & B are correct. Concenus on B being correct. Regarding A verse D: SCP is too restrictive. As mentioned by khksoma, the issue is only around the Lambda function. D also does not provide a way to support the Lambda calling AWS services in the separate account. As such, D is not correct. Option "A" addresses this and is supported by the link given by balisongjam.
upvoted 27 times
...
Ebi
Highly Voted 3 years, 8 months ago
Answer is AB
upvoted 6 times
...
SkyZeroZx
Most Recent 2 years ago
Selected Answer: AB
A/B Assuming the role is the right way to do it. And SSM is good for storing DB credentials https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/ D is wrong as users from one account cannot access resources from another account if not allowed through cross-account access using assumed roles. There's no need to use SCP for deny Only question in my case in this case usually case in lambdas not is need usage credentials is more apropiate use IAM Role avoid use of credentials. But correct is AB
upvoted 1 times
...
tartarus23
3 years, 2 months ago
Selected Answer: AB
A. Seems a better option than using AWS organizations to address the requirements B. AWS Secrets Manager enables lifecycle management, key rotation and securely storing the database credentials.
upvoted 1 times
...
HellGate
3 years, 5 months ago
My answer is B and D. in the question, mentioned as “The Solutions Architect is afraid that the credentials might be misused by anybody who can examine the Lambda code”, so proper access control is needed here. We need D for this.
upvoted 3 times
...
CloudChef
3 years, 6 months ago
Seems AWS has people who put a bunch of wrong answers at about the same time. Careful what you believe.
upvoted 2 times
...
AzureDP900
3 years, 7 months ago
A, B is right
upvoted 1 times
...
tonikus
3 years, 8 months ago
Q: Answers here.. marked as "Correct" with randomizer?
upvoted 1 times
...
WhyIronMan
3 years, 8 months ago
I'll go with A,B
upvoted 2 times
...
ss160700
3 years, 8 months ago
A&B - D will prevent Lambda to function correctly
upvoted 1 times
...
pradhyumna
3 years, 8 months ago
B and D is correct. The question says, "which combination", obviously both AB are solving the same lambda problem, hence not a good "combination". On top of it, it does not help lambda assuming a role in mgmt account while the application is completely running in service account with lambda and RDS. Second part of the problem is how to prevent users from using the IAM credentials which can be viewed in the code. This is what SCP is addressing, anyways SCP doesn't affect the IAM users in the mgmt account and so this SCP would prevent IAM users from the service account . I would go with B and D "combination".
upvoted 3 times
pradhyumna
3 years, 8 months ago
Changing to A & B rds credentials in secrets manager, use roles to eliminate mgmt creds
upvoted 3 times
...
...
Waiweng
3 years, 8 months ago
it's A&B
upvoted 6 times
...
Kian1
3 years, 8 months ago
going with AB
upvoted 3 times
...
Firststack
3 years, 8 months ago
A & B is the most secure approach
upvoted 2 times
...
Justu
3 years, 8 months ago
AB, You need to fix lambda getting credentials directly from the code and allow it to use mgmt account resources. D: There's no need to restrict ServiceAccount resources by SCP. Kanavpeer is right.
upvoted 1 times
...
Cantaloupe
3 years, 8 months ago
A/B Assuming the role is the right way to do it. And SSM is good for storing DB credentials https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/ D is wrong as users from one account cannot access resources from another account if not allowed through cross-account access using assumed roles. There's no need to use SCP for deny E is wrong as shield is used for ddos protection C does not make sense with hourly redeploying of lambda
upvoted 2 times
...
petebear55
3 years, 9 months ago
BEST PRACTICE WOULD BE B AND D
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel