AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company wants to share accounting data with an external auditor. The data is stored in an Amazon RDS DB instance that resides in a private subnet. The auditor has its own AWS account and requires its own copy of the database.
What is the MOST secure way for the company to share the database with the auditor?
Other
Community
UAnonymous
A
Create a read replica of the database. Configure IAM standard database authentication to grant the auditor access.
B
Export the database contents to text files. Store the files in an Amazon S3 bucket. Create a new IAM user for the auditor. Grant the user access to the S3 bucket.
C
Copy a snapshot of the database to an Amazon S3 bucket. Create an IAM user. Share the user's keys with the auditor to grant access to the object in the S3 bucket.
D
Create an encrypted snapshot of the database. Share the snapshot with the auditor. Allow access to the AWS Key Management Service (AWS KMS) encryption key.
Explanation:
Explanation
Option D is the most secure approach because it uses AWS's built-in secure sharing mechanisms:
-
Encrypted Snapshot: Creating an encrypted snapshot ensures the data is protected at rest using AWS KMS encryption.
-
Cross-Account Snapshot Sharing: AWS RDS allows sharing encrypted snapshots with other AWS accounts, which is a secure and managed way to transfer database copies.
-
KMS Key Sharing: By allowing access to the KMS encryption key, the auditor can decrypt and use the snapshot in their own account.
-
Auditor Gets Their Own Copy: The auditor can restore the snapshot in their own AWS account, giving them full control and isolation from the company's environment.
Why other options are less secure:
-
Option A: Creating a read replica still exposes the company's database directly to external access. IAM database authentication is secure but doesn't provide complete isolation, and the auditor doesn't get their own copy.
-
Option B: Exporting to text files loses database structure and security features. Storing in S3 and sharing via IAM user is less secure than using AWS's native snapshot sharing with encryption.
-
Option C: Copying to S3 and sharing IAM user keys is insecure because IAM user credentials should never be shared. This violates security best practices.
Key Security Benefits of Option D:
- End-to-end encryption
- No credential sharing required
- Cross-account access control via AWS Resource Access Manager (RAM)
- Complete isolation after restoration
- Audit trail through AWS CloudTrail
- Compliant with security best practices for data sharing between AWS accounts
Comments
Loading comments...