AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is developing a new application on AWS. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster, an Amazon S3 bucket that contains assets for the application, and an Amazon RDS for MySQL database that contains the dataset for the application. The dataset contains sensitive information. The company wants to ensure that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create a new AWS Key Management Service (AWS KMS) customer managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the KMS key policy includes encrypt and decrypt permissions for the ECS task execution role.
B
Create an AWS Key Management Service (AWS KMS) AWS managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the S3 bucket policy specifies the ECS task execution role as a user.
C
Create an S3 bucket policy that restricts bucket access to the ECS task execution role. Create a VPC endpoint for Amazon RDS for MySQL. Update the RDS for MySQL security group to allow access from only the subnets that the ECS cluster will generate tasks in.
D
Create a VPC endpoint for Amazon RDS for MySQL. Update the RDS for MySQL security group to allow access from only the subnets that the ECS cluster will generate tasks in. Create a VPC endpoint for Amazon S3. Update the S3 bucket policy to allow access from only the S3 VPC endpoint.
Explanation:
Explanation
Correct Answer: D
Why Option D is correct:
-
VPC Endpoint for Amazon RDS for MySQL: This ensures that traffic to the RDS database stays within the AWS network and doesn't go over the public internet. Combined with security group rules that only allow access from the ECS cluster's subnets, this provides network-level isolation.
-
VPC Endpoint for Amazon S3: This allows the ECS cluster to access S3 without going through the public internet. The S3 bucket policy can then be configured to only allow access from this VPC endpoint, effectively restricting access to resources within the VPC.
-
Security Group Configuration: By updating the RDS security group to only allow access from the specific subnets where ECS tasks run, you ensure network-level access control.
Why other options are incorrect:
Option A: KMS encryption controls data encryption at rest, but doesn't control network access. Even with encryption, other services or users could potentially access the data if network permissions allow it.
Option B: Similar to A, KMS encryption doesn't restrict network access. Additionally, AWS managed keys are not customizable with key policies in the same way customer managed keys are.
Option C: This partially addresses the requirements but has limitations:
- S3 bucket policies with IAM roles control authentication but not network-level access
- Without VPC endpoints, traffic to S3 would go over the public internet
- The RDS VPC endpoint alone doesn't restrict S3 access
Key Security Principles Applied:
- Network Isolation: Using VPC endpoints keeps traffic within AWS's private network
- Least Privilege: Security groups restrict access to specific subnets
- Defense in Depth: Multiple layers of security controls (VPC endpoints + security groups + bucket policies)
- Private Connectivity: Eliminates exposure to the public internet for sensitive data access
This solution ensures that only the ECS cluster within the specified VPC can access both the RDS database and S3 bucket, meeting the requirement to protect sensitive information.
Comments
Loading comments...