AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
During a test of an incident response plan for compromised credentials, a company encounters an issue where the rotation of a secret in AWS Secrets Manager fails. The secret, containing sensitive database credentials, is configured to rotate using a Lambda function based on a generic template. Both the database running on an EC2 instance and the Lambda function are located in the same private subnet of a VPC equipped with a Secrets Manager VPC endpoint. Despite confirming that the VPC endpoint is functioning correctly, the CloudWatch logs show an error: "setSecret: Unable to log into database". What should be done to resolve this error?
During a test of an incident response plan for compromised credentials, a company encounters an issue where the rotation of a secret in AWS Secrets Manager fails. The secret, containing sensitive database credentials, is configured to rotate using a Lambda function based on a generic template. Both the database running on an EC2 instance and the Lambda function are located in the same private subnet of a VPC equipped with a Secrets Manager VPC endpoint. Despite confirming that the VPC endpoint is functioning correctly, the CloudWatch logs show an error: "setSecret: Unable to log into database". What should be done to resolve this error?
Explanation:
The correct answer is B. The error 'setSecret: Unable to log into database' indicates a connectivity issue between the Lambda function and the EC2 instance where the database is running. The security groups must be configured to allow the necessary communication. Specifically, the security group attached to the Lambda function should allow outbound connections to the EC2 instance, and the security group attached to the EC2 instance should allow inbound connections from the Lambda function. This resolves the issue by ensuring proper network connectivity for the secret rotation process.