AWS Certified Security – Specialty (SCS-C02) — Question 135

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.

What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

Answer options

• A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
• B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
• C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
• D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

Correct answer: C

Explanation

The correct answer is C because an interface VPC endpoint allows private connections between a VPC and supported AWS services, such as Secrets Manager, without using an internet gateway or NAT. Options A and D are not secure solutions since they involve internet access, while option B, a gateway VPC endpoint, is not applicable for Secrets Manager as it requires an interface endpoint.