An online grocery delivery application uses credentials saved in AWS Secrets Manager while accessing data from the Amazon RDS database.
The Security Team is planning to initiate a secret rotation of credentials for the Amazon RDS database.
For networking readiness, they are seeking your suggestions for a successful complete rotation of secrets. Which of the following statements are TRUE with regards to networking requirements for rotating Secrets? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: C and E.
Lambda Rotation Function used for AWS Secrets Manager is created using AWS CLoudFormation.
To rotate secret, the Lambda rotation function should be able to communicate with the database and Amazon Secrete Manager.
In the above case, since the database runs in a VPC, the CloudFormation template for the Lambda rotation function will create the Lambda function in the same VPC.
This will ensure communication between Lambda functions & databases occurs locally within the VPC.
Amazon Secrets Manager is placed in the public domain, so to communicate Lambda functions in a VPC to Amazon Secrets Manager, Secrets Manager service endpoints can be used to ensure the traffic is over the AWS network and not over the Internet.
Option A is incorrect as CloudFormation Template for Lambda rotation function creates Lambda function in the same VPC as that of the database, not outside VPC.
Outside VPC will not ensure communication between Lambda functions & databases occurs locally within the VPC.Options B & D are incorrect as Amazon Service Manager resides in the public network.
Service Manager service endpoint is preferred over NAT instance / NAT Gateway as with this traffic is over AWS network instead of using the internet.
For more information on AWS Secrets Manager network requirements for Secrets Rotation, refer to the following URL,
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotation-network-rqmts.htmlTo successfully rotate secrets, the AWS Security Team needs to ensure that the credentials are updated across all the systems that use them. In the case of an online grocery delivery application, the credentials are stored in AWS Secrets Manager and used to access data from the Amazon RDS database. Therefore, the Security Team needs to consider networking requirements for rotating secrets in AWS.
A. AWS CloudFormation template for Lambda rotation function will determine the accessibility of the database & will create Lambda function outside the VPC.
This statement is not entirely correct. While a CloudFormation template can create a Lambda rotation function, the accessibility of the database is determined by the VPC configuration. Therefore, the CloudFormation template should create the Lambda function within the VPC that hosts the RDS database.
C. AWS CloudFormation template for Lambda rotation function will determine the accessibility of the database & will create Lambda function in the same VPC.
This statement is correct. The CloudFormation template for the Lambda rotation function should create the Lambda function within the same VPC as the RDS database. This ensures that the Lambda function can access the database over the VPC network.
B. Lambda rotation function should communicate with the Amazon Secrets manager over the internet using NAT Instance.
D. Lambda rotation function should communicate with the Amazon Secrets manager over the internet using NAT Gateway.
Both of these statements are not recommended for security reasons. It is not recommended to communicate with AWS Secrets Manager over the internet since it can be a potential security risk. Instead, the Lambda rotation function should communicate with the Secrets Manager over the VPC endpoints. This can be achieved by configuring the VPC endpoints for Secrets Manager in the VPC where the Lambda function is deployed.
E. Lambda rotation function should communicate with the Amazon Secrets manager over Secrets Manager service endpoints.
This statement is correct. The Lambda rotation function should communicate with the Secrets Manager over the Secrets Manager service endpoints. This ensures that the communication is secure and does not go over the internet. It is also recommended to configure the VPC endpoints for Secrets Manager in the VPC where the Lambda function is deployed.
In summary, the correct statements regarding networking requirements for rotating secrets are: