Implementing IAM Database Authentication for AWS Aurora | Lambda Function SQL Queries | AWS Certified Developer Exam

IAM Database Authentication for AWS Aurora

Prev Question Next Question

Question

You are building a Lambda function that connects to an AWS Aurora cluster and performs SQL queries.

You want to use IAM database authentication to connect to the DB cluster so that the Lambda function does not need to use a username and password.

IAM should manage the authentication process.

How would you implement this?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A.

Option A is CORRECT: Because with IAM database authentication, if the Lambda function has the IAM permission, it can receive the authentication token from IAM and connect to the DB.Option B is incorrect: Because Secrets Manager is not suitable as the question mentioned that IAM database authentication should be used.

Option C is incorrect: Because you should attach the IAM policy to the Lambda execution role.

You cannot assign an IAM user to the Lambda function.

Option D is incorrect: Because the description is incorrect.

After IAM database authentication is enabled, you should add the IAM permission to the role, allowing the Lambda to request an authentication token.

Reference:

https://aws.amazon.com/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

The correct answer is A. Enable IAM database authentication in the DB cluster and assign the IAM permission to the Lambda execution role.

Explanation: AWS Aurora is a relational database engine that is fully managed and highly scalable. It is compatible with MySQL and PostgreSQL and provides several features such as automated backups, read replicas, and automated scaling.

When a Lambda function needs to access an Aurora DB cluster, it can use IAM database authentication instead of providing a username and password. IAM database authentication is a more secure method of authentication that uses AWS Identity and Access Management (IAM) to manage database access.

To implement IAM database authentication, you should follow these steps:

  1. Enable IAM database authentication in the Aurora cluster:

    • You can enable IAM database authentication using the AWS Management Console, AWS CLI, or AWS SDKs.
    • When you enable IAM database authentication, you can also specify the AWS Identity and Access Management (IAM) role that Aurora will assume to authenticate users.

  2. Assign IAM permission to the Lambda execution role:

    • You need to create an IAM role for your Lambda function that has permission to access the Aurora cluster.
    • The IAM role should have permission to assume the IAM role that Aurora uses to authenticate users.
    • You can assign the IAM permission to the Lambda execution role using the AWS Management Console, AWS CLI, or AWS SDKs.

  3. Modify the Lambda function to use IAM database authentication:

    • In the Lambda function code, you need to specify the connection details for the Aurora cluster, including the cluster endpoint, database name, and IAM authentication option.
    • You can use the AWS SDKs to connect to the Aurora cluster using IAM authentication.

In summary, to implement IAM database authentication for a Lambda function that connects to an Aurora cluster, you need to enable IAM database authentication in the Aurora cluster, assign IAM permission to the Lambda execution role, and modify the Lambda function to use IAM database authentication.

Prev Question Next Question