Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 111 discussion

a little bit confused between A and D but as said by others members D doesn't adress the The question of "data must not travel across the Internet"==> A is the answer

B and D are out because you need the VPC endpoints. C is out because you cannot enable rotation in Parameter Store (https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_parameterstore.html)

Option A does not address the requirement for rotating database credentials.

A. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.

A is better than D because it remove the complexity of management of the secret to connect to the DB and replaces it with the IAM DB authentication. In addition S3 endpoint GW is better to prevent traffic going through internet.

Key is data must not travel accros the internet mean use VPC gateway

A, "data must no travel across the internet". This setup ensures internal network use only, meeting the security and networking requirements efficiently

The data must not travel across the Internet.

Option D offers a comprehensive solution by leveraging AWS Secrets Manager for storing and automatically rotating database credentials, which directly addresses the concern of minimizing the impact if credentials become compromised. Changing the Lambda function to retrieve credentials from Secrets Manager enhances security by not storing credentials within environment variables. Enforcing HTTPS for S3 data transfers ensures the data in transit is encrypted. While deploying a gateway VPC endpoint for S3 (as mentioned in other options) is a best practice to keep traffic within the AWS network, enforcing HTTPS also contributes to securing data transfers without explicitly stating the need to avoid Internet travel. Secrets Manager inherently provides secure access to secrets without needing to travel across the Internet when accessed from AWS services within the same region. Option A does not address the requirement for securing and rotating database credentials stored as Lambda environment variables.

Answer is A as S3 VPC is endpoint is needed to avoid data going over internet.

AWS Secrets Manager is meant for this job, why go with any other option

I prefor A

A https://aws.amazon.com/pt/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

https://docs.aws.amazon.com/pt_br/secretsmanager/latest/userguide/vpc-endpoint-overview.html

A for sure

I was about to chose D however just enforcing the HTTP will not avoid the data to travel across internet. You will need the option where the gateway VPC endpoint is deployed for access the S3. The answer is A. A will also solve the issue related to authenticate the lambda to aurora without needing to store passwords, refer to - https://aws.amazon.com/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

However, Option A is not the best choice for the given scenario because: It doesn't address the requirement to minimize the impact of compromised database credentials. IAM database authentication eliminates traditional user credentials, but it doesn't implement password rotation for the remaining IAM credentials. While the VPC endpoint keeps traffic within the AWS network, it doesn't enforce encryption during data transfers to Amazon S3. Option D, on the other hand, addresses both the requirement of minimizing the impact of compromised credentials through password rotation using AWS Secrets Manager and ensuring encrypted data transfers to Amazon S3 by enforcing HTTPS. That's why Option D is the better choice for this scenario.