Home › Forums › AWS › AWS Certified Developer Associate › IAM DB Auth with Lambda
-
IAM DB Auth with Lambda
Neil-TutorialsDojo updated 4 months, 3 weeks ago 2 Members · 2 Posts -
Hello!
I think the following question has a misleading explanation about a wrong answer (which is properly explained in the SAA tests).
The question:
Your team is developing a serverless application, which is composed of multiple Lambda functions which process data from an SQS queue and stores the results to an RDS database. To comply with the strict IT policy of the company, you were instructed to configure these functions to share the same connection string that should be properly secured and encrypted.
What should you do to protect, encrypt, and share your database credentials in AWS?
The wrong answer:
Using IAM DB Authentication in RDS to allow encrypted connections from each Lambda function is incorrect because this is primarily used to secure data-in-transit rather than data at rest. IAM DB Authentication simply encrypts the network traffic to and from the RDS database using Secure Sockets Layer (SSL). You cannot store sensitive files using this feature unlike Systems Manager Parameter or AWS Secrets Manager.
The issue:
I may be missing something obvious here, but isn’t it more like the automatic usage of TLS (encryption in transit) is kind of an additional bonus to the whole thing, not the primary usecase? Also, the primary goal of this is to avoid hardcoding DB user creds for MySQL/MariaDB and PostgreSQL RDS, which is not mentioned in the explanation at all. It seems to me the explanation of why the answer is wrong is because, 1 – it’s not specified in the question what RDS is used, so we don’t know if it’s a viable option, 2 – it’s explicitly stated that the Lambdas will use a connection string, which eliminates the option to use the temp tokens provided when using IAM DB Auth.
Don’t know if I expressed myself clear enough, but it’s just seems like a wrong explanation of why the option is wrong, while there are nice and correct explanations on couple of places in the SAA tests.
Thank you!
-
Hi Vladislav Krastev,
Thank you for bringing up your concerns regarding the explanation
provided for the incorrect answer. You make a valid point about the
primary functionality and benefits of IAM DB Authentication, which
indeed focuses more on enhancing security by avoiding hardcoded
credentials and using AWS-managed temporary credentials for database
access.I appreciate your detailed observations, and we will refine our content
to better clarify these distinctions. Thanks for helping improve our
resources.Regards,
Neil @ Tutorials Dojo
Log in to reply.