AWS Certified Security – Specialty — Question 201

A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store. The application has separate module for read/write and read-only functionality. The modules need their own database users for compliance reasons.
Which combination of steps should a security engineer implement to grant appropriate access? (Choose two.)

Answer options

• A. Configure cluster security groups for each application module to control access to database users that are required for read-only and read-write.
• B. Configure a VPC endpoint for Amazon Redshift. Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write.
• C. Configure an IAM policy for each module. Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call.
• D. Create local database users for each module.
• E. Configure an IAM policy for each module. Specify the ARN of an IAM user that allows the GetClusterCredentials API call.

Correct answer: C, D

Explanation

The correct answers, C and D, allow for the specific configuration of database access through IAM policies and the creation of local database users, ensuring compliance. Options A and B focus on network-level access controls, which are not sufficient for managing individual user permissions. Option E incorrectly suggests using an IAM user instead of a database user, which does not meet the requirement for database-specific access.