AWS Certified Database – Specialty — Question 2

A company is deploying a solution in Amazon Aurora by migrating from an on-premises system. The IT department has established an AWS Direct Connect link from the company's data center. The company's Database Specialist has selected the option to require SSL/TLS for connectivity to prevent plaintext data from being set over the network. The migration appears to be working successfully, and the data can be queried from a desktop machine.
Two Data Analysts have been asked to query and validate the data in the new Aurora DB cluster. Both Analysts are unable to connect to Aurora. Their user names and passwords have been verified as valid and the Database Specialist can connect to the DB cluster using their accounts. The Database Specialist also verified that the security group configuration allows network from all corporate IP addresses.
What should the Database Specialist do to correct the Data Analysts' inability to connect?

Answer options

• A. Restart the DB cluster to apply the SSL change.
• B. Instruct the Data Analysts to download the root certificate and use the SSL certificate on the connection string to connect.
• C. Add explicit mappings between the Data Analysts' IP addresses and the instance in the security group assigned to the DB cluster.
• D. Modify the Data Analysts' local client firewall to allow network traffic to AWS.

Correct answer: B

Explanation

The correct answer is B because the Data Analysts need to download the root certificate to establish a secure SSL/TLS connection, which is mandatory for accessing the Aurora DB cluster. Option A is incorrect as restarting the DB cluster does not resolve client connection issues. Option C is not necessary since the security group already allows access from all corporate IPs. Option D is also incorrect if the firewall is not blocking the connection, as the primary issue is related to SSL/TLS requirements.