A company security team has mandated that user access to the Amazon Aurora cluster must be controlled via IAM.
Which solution below implements this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because Amazon Aurora supports IAM authentication.
In order to utilize this feature, the database cluster must be modified to enable IAM authentication.
Then a database user must be created, and rds_iam privilege must be granted to the user.
Finally, the user must have rds-db:connect IAM permissions to connect to the database.
This can be granted using the IAM policy.
Option B is incorrect because STS is a web service for generating access tokens and creating temporary access to users via API.
It does not enable IAM authentication to RDS and Aurora databases.
Option C is incorrect because STS is a web service for generating access tokens and creating temporary access to users via API.
It does not enable IAM authentication to RDS and Aurora databases.
Option D is incorrect because Cognito is an authentication service for providing access to AWS resources to third-party external users or web and mobile apps.
It does not enable and grant IAM authentication to RDS and Aurora databases.
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.htmlThe correct solution to implement the security team's requirement to control user access to the Amazon Aurora cluster via IAM is:
A. Modify the Aurora cluster to enable IAM authentication. Grant rds_iam privilege to the user. Apply IAM policy that allows rds-db:connect action to the user.
Explanation:
AWS Identity and Access Management (IAM) is a service that helps control access to AWS resources. IAM enables you to manage access to AWS services and resources securely, by creating and managing IAM users, groups, and roles, as well as defining policies that control how these entities can interact with AWS resources.
Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. To control user access to the Aurora cluster via IAM, you need to modify the cluster to enable IAM authentication. When IAM authentication is enabled, you can use IAM to manage database user authentication and authorization.
The correct solution is to modify the Aurora cluster to enable IAM authentication, grant the rds_iam privilege to the user, and apply an IAM policy that allows the rds-db:connect action to the user.
The rds_iam role is an AWS Identity and Access Management (IAM) role that enables Amazon RDS to authenticate using your IAM credentials. When you create an IAM user, you can attach a policy to the user that allows them to connect to the Aurora cluster using IAM authentication. The IAM policy should allow the user to perform the rds-db:connect action, which grants access to the Aurora database.
Option B is incorrect because using STS AssumeRole API would require an additional step of creating an IAM role with rds-db:connect action to the database, which is not necessary when using option A.
Option C is incorrect because using STS GetSessionToken API is used to provide temporary security credentials to IAM users who have been authenticated using MFA, which is not necessary for this scenario.
Option D is incorrect because creating an Amazon Cognito User Pool is not necessary to control user access to the Aurora cluster via IAM. Rule-based mapping to Cognito User Pool to the IAM role is not a solution to the security team's requirement to control user access to the Aurora cluster via IAM.