AWS Certified Security – Specialty — Question 173

A company has a serverless application for internal users deployed on AWS. The application uses AWS Lambda for the front end and for business logic. The
Lambda function accesses an Amazon RDS database inside a VPC. The company uses AWS Systems Manager Parameter Store for storing database credentials.
A recent security review highlighted the following issues:
✑ The Lambda function has internet access.
✑ The relational database is publicly accessible.
✑ The database credentials are not stored in an encrypted state.
Which combination of steps should the company take to resolve these security issues? (Choose three.)

Answer options

• A. Disable public access to the RDS database inside the VPC.
• B. Move all the Lambda functions inside the VPC.
• C. Edit the IAM role used by Lambda to restrict internet access.
• D. Create a VPC endpoint for Systems Manager. Store the credentials as a string parameter. Change the parameter type to an advanced parameter.
• E. Edit the IAM role used by RDS to restrict internet access.
• F. Create a VPC endpoint for Systems Manager. Store the credentials as a SecureString parameter.

Correct answer: A, B, F

Explanation

The correct steps involve disabling public access to the RDS database (A) to prevent unauthorized access, moving Lambda functions inside the VPC (B) to enhance security by limiting internet exposure, and storing credentials as a SecureString (F) to ensure they are encrypted. Options C and E focus on restricting internet access for IAM roles, which do not directly address the core issues identified in the security review, while D does not use SecureString for enhanced security.