AWS Certified Database – Specialty — Question 335

A gaming company uses Amazon Aurora Serverless for one of its internal applications. The company's developers use Amazon RDS Data API to work with the
Aurora Serverless DB cluster. After a recent security review, the company is mandating security enhancements. A database specialist must ensure that access to
RDS Data API is private and never passes through the public internet.
What should the database specialist do to meet this requirement?

Answer options

• A. Modify the Aurora Serverless cluster by selecting a VPC with private subnets.
• B. Modify the Aurora Serverless cluster by unchecking the publicly accessible option.
• C. Create an interface VPC endpoint that uses AWS PrivateLink for RDS Data API.
• D. Create a gateway VPC endpoint for RDS Data API.

Correct answer: C

Explanation

To ensure that traffic to the RDS Data API remains private and does not traverse the public internet, you must configure an interface VPC endpoint (using AWS PrivateLink), which is supported by the RDS Data API. Gateway VPC endpoints are not supported for this service, as they are only available for Amazon S3 and DynamoDB. Altering the network settings or public accessibility of the Aurora Serverless cluster itself does not secure the external API endpoint traffic.