Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

$2 OFF ALL AWS, Azure, Google Cloud & Kubernetes Practice Exams!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Developer Associate IAM DB Auth with Lambda

Tagged: , ,

  • IAM DB Auth with Lambda

  • Vladislav Krastev

    Member
    May 20, 2024 at 1:24 am

    Hello!

    I think the following question has a misleading explanation about a wrong answer (which is properly explained in the SAA tests).

    The question:

    Your team is developing a serverless application, which is composed of multiple Lambda functions which process data from an SQS queue and stores the results to an RDS database. To comply with the strict IT policy of the company, you were instructed to configure these functions to share the same connection string that should be properly secured and encrypted.

    What should you do to protect, encrypt, and share your database credentials in AWS?


    The wrong answer:

    Using IAM DB Authentication in RDS to allow encrypted connections from each Lambda function is incorrect because this is primarily used to secure data-in-transit rather than data at rest. IAM DB Authentication simply encrypts the network traffic to and from the RDS database using Secure Sockets Layer (SSL). You cannot store sensitive files using this feature unlike Systems Manager Parameter or AWS Secrets Manager.


    The issue:

    I may be missing something obvious here, but isn’t it more like the automatic usage of TLS (encryption in transit) is kind of an additional bonus to the whole thing, not the primary usecase? Also, the primary goal of this is to avoid hardcoding DB user creds for MySQL/MariaDB and PostgreSQL RDS, which is not mentioned in the explanation at all. It seems to me the explanation of why the answer is wrong is because, 1 – it’s not specified in the question what RDS is used, so we don’t know if it’s a viable option, 2 – it’s explicitly stated that the Lambdas will use a connection string, which eliminates the option to use the temp tokens provided when using IAM DB Auth.


    Don’t know if I expressed myself clear enough, but it’s just seems like a wrong explanation of why the option is wrong, while there are nice and correct explanations on couple of places in the SAA tests.


    Thank you!

  • Neil-TutorialsDojo

    Member
    May 20, 2024 at 12:31 pm

    Hi Vladislav Krastev,

    Thank you for bringing up your concerns regarding the explanation
    provided for the incorrect answer. You make a valid point about the
    primary functionality and benefits of IAM DB Authentication, which
    indeed focuses more on enhancing security by avoiding hardcoded
    credentials and using AWS-managed temporary credentials for database
    access.

    I appreciate your detailed observations, and we will refine our content
    to better clarify these distinctions. Thanks for helping improve our
    resources.

    Regards,

    Neil @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now