New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 5 Question 18 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 18
Topic #: 5
[All SCS-C02 Questions]

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Show Suggested Answer Hide Answer
Suggested Answer: C

In an AWS environment where a VPC has no internet access and requires communication with AWS services such as Secrets Manager, the most secure method is to use an interface VPC endpoint (AWS PrivateLink). This allows private connectivity to services like Secrets Manager, enabling AWS Lambda functions and other resources within the VPC to access Secrets Manager without requiring an internet gateway, NAT gateway, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. This option is more secure than creating a NAT gateway because it doesn't expose the resources to the internet and adheres to the principle of least privilege by providing direct access to only the required service.


by Brock at May 07, 2024, 10:20 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Tawna
3 months ago
Definitely not D, that opens up too much risk.
upvoted 0 times
...
Yvette
3 months ago
Surprised that an internet gateway is even an option here!
upvoted 0 times
...
Cathrine
3 months ago
A NAT gateway? Seems unnecessary for this.
upvoted 0 times
...
Joanne
4 months ago
I think C might be better, though.
upvoted 0 times
...
Daniel
4 months ago
Option B is the best choice for secure access!
upvoted 0 times
...
Una
4 months ago
I’m a bit confused about the differences between gateway and interface endpoints. I hope I can remember which one is specifically for Secrets Manager during the exam.
upvoted 0 times
...
Lelia
4 months ago
I practiced a similar question where we had to choose between different types of VPC endpoints. I feel like the interface endpoint is the right choice here.
upvoted 0 times
...
Wilda
4 months ago
I think adding a NAT gateway could work, but it might not be the most secure option since it exposes the VPC to the internet.
upvoted 0 times
...
Carmen
5 months ago
I remember studying about VPC endpoints, but I'm not sure if it's the gateway or interface type that works best for Secrets Manager.
upvoted 0 times
...
Fernanda
5 months ago
The question is really testing our understanding of VPC networking and security best practices. The interface VPC endpoint seems like the most logical choice given the requirements.
upvoted 0 times
...
Lorrine
5 months ago
I'm a bit confused on the differences between the VPC endpoint options. I'll need to review the details to make sure I understand which one is the best fit here.
upvoted 0 times
...
Marcos
5 months ago
Okay, I think I've got it. Since the VPC has private DNS hostnames enabled, an interface VPC endpoint is the most secure way to allow the Lambda function to access Secrets Manager.
upvoted 0 times
...
Shawna
5 months ago
Hmm, the key here is that the VPC has no internet access, so a NAT gateway or internet gateway won't work. I'm leaning towards the VPC endpoint options.
upvoted 0 times
...
Corinne
5 months ago
This seems like a tricky one. I'll need to think carefully about the options and how they relate to the VPC setup and security requirements.
upvoted 0 times
...
Tammi
5 months ago
Deleting older records could help, but I'm not sure if that's the best long-term solution. I'll need to consider the potential impact on the data and the business requirements.
upvoted 0 times
...
Albert
5 months ago
I think this might be about price fixing, but I'm not entirely sure—tying arrangements sound similar too.
upvoted 0 times
...
Lavelle
5 months ago
This looks like a straightforward question on authentication methods. I'm pretty confident I can identify the correct answers here.
upvoted 0 times
...
Tambra
2 years ago
I agree. Internet gateway would expose too much. I think C is the best choice.
upvoted 0 times
...
Jolene
2 years ago
Adding an internet gateway seems risky. Option D is out.
upvoted 0 times
...
Letha
2 years ago
Because we need a direct interface for the Lambda function to communicate securely.
upvoted 0 times
...
Pete
2 years ago
Why not B, the gateway VPC endpoint?
upvoted 0 times
...
Letha
2 years ago
Yeah, I think the answer is C, adding an interface VPC endpoint.
upvoted 0 times
...
Tambra
2 years ago
This question about the VPC and Aurora database is interesting.
upvoted 0 times
...

Save Cancel