Implementing IAM for Amazon Aurora Cluster Access Control

Answer: A.

Option A is CORRECT because Amazon Aurora supports IAM authentication.

In order to utilize this feature, the database cluster must be modified to enable IAM authentication.

Then a database user must be created, and rds_iam privilege must be granted to the user.

Finally, the user must have rds-db:connect IAM permissions to connect to the database.

This can be granted using the IAM policy.

Option B is incorrect because STS is a web service for generating access tokens and creating temporary access to users via API.

It does not enable IAM authentication to RDS and Aurora databases.

Option C is incorrect because STS is a web service for generating access tokens and creating temporary access to users via API.

It does not enable IAM authentication to RDS and Aurora databases.

Option D is incorrect because Cognito is an authentication service for providing access to AWS resources to third-party external users or web and mobile apps.

It does not enable and grant IAM authentication to RDS and Aurora databases.

Reference:

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

The solution to implement the requirement of controlling user access to an Amazon Aurora cluster via IAM is to modify the Aurora cluster to enable IAM authentication, grant rds_iam privilege to the user, and apply an IAM policy that allows the rds-db:connect action to the user.

Option A is the correct solution. Here is a detailed explanation of each option:

A. Modify the Aurora cluster to enable IAM authentication. Grant rds_iam privilege to the user. Apply an IAM policy that allows rds-db:connect action to the user. This option involves modifying the Aurora cluster to enable IAM authentication, which allows users to authenticate to the database using their IAM credentials. After enabling IAM authentication, the user should be granted the rds_iam privilege, which enables the user to authenticate to the database using their IAM credentials. An IAM policy should be applied to the user that allows the rds-db:connect action, which grants the user permission to connect to the database.

B. Modify the Aurora cluster to enable IAM authentication. Create an IAM role with rds-db:connect action to the database. Use AWS STS AssumeRole API. This option involves modifying the Aurora cluster to enable IAM authentication, creating an IAM role with the rds-db:connect action to the database, and using the AWS STS AssumeRole API to assume the IAM role. This option is not ideal because it requires additional steps to assume the role and connect to the database, and it does not directly control access via IAM.

C. Modify the Aurora cluster to enable IAM authentication. Apply an IAM policy that allows rds-db:connect action to the user. Use AWS STS GetSessionToken API. This option involves modifying the Aurora cluster to enable IAM authentication, applying an IAM policy that allows the rds-db:connect action to the user, and using the AWS STS GetSessionToken API to get temporary credentials for the user. This option is not ideal because it requires additional steps to get temporary credentials, and it does not directly control access via IAM.

D. Modify the Aurora cluster to enable IAM authentication. Create an Amazon Cognito User Pool. Create an IAM role with rds-db:connect action to the database. Apply Rule-based mapping to Cognito User Pool to the IAM role. This option involves modifying the Aurora cluster to enable IAM authentication, creating an Amazon Cognito User Pool, creating an IAM role with the rds-db:connect action to the database, and applying rule-based mapping to the Cognito User Pool to the IAM role. This option is not ideal because it adds unnecessary complexity by involving an additional service, and it does not directly control access via IAM.

In summary, option A is the best solution as it directly controls access via IAM without any unnecessary complexity.