Topic: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

A company is developing a new application on AWS. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster, an Amazon S3 bucket that contains assets for the application, and an Amazon RDS for MySQL database that contains the dataset for the application. The dataset contains sensitive information. The company wants to ensure that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket.

Which solution will meet these requirements?

A.
Create a new AWS Key Management Service (AWS KMS) customer managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the KMS key policy includes encrypt and decrypt permissions for the ECS task execution role.
B.
Create an AWS Key Management Service (AWS KMS) AWS managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the S3 bucket policy specifies the ECS task execution role as a user.
C.
Create an S3 bucket policy that restricts bucket access to the ECS task execution role. Create a VPC endpoint for Amazon RDS for MySQL. Update the RDS for MySQL security group to allow access from only the subnets that the ECS cluster will generate tasks in.
D.
Create a VPC endpoint for Amazon RDS for MySQL. Update the RDS for MySQL security group to allow access from only the subnets that the ECS cluster will generate tasks in. Create a VPC endpoint for Amazon S3. Update the S3 bucket policy to allow access from only the S3 VPC endpoint.

  • t0nx
  • New member
  • Offline

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

Option D is the most comprehensive solution as it leverages VPC endpoints for both Amazon RDS and Amazon S3, along with proper network-level controls to restrict access to only the necessary resources from the ECS cluster.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

D only secures access to RDS and S3, it does not secure the sensitive data inside the RDS and S3.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

We're asked to restrict access to both, RDS and S3, to "the ECS cluster" (not to a subnet or endpoint).

Not B: Does not restrict RDS at all. Wording about S3 is unusual.
Not C: Would work for S3, but would allow RDS access from whole subnet which may contain other resources besides the ECS cluster
Not D: Would allow RDS access from whole subnet which may contain other resources besides the ECS cluster. Would allow S3 access from VPC endpoint which might be accessed by other resources besides the ECS cluster.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

According to me "The dataset contains sensitive information" is the main information that motivate the real requirement which is "The company wants to ensure that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket". So we have to take these two assertions into consideration.
And knowing that, as S3 default encryption capabilities, RDS Mysql DB Instance encryption is not active by default (check this link for details  https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html ), option A is the best option to meet the requirements of accessing the datasets and the assets only from ECS cluster tasks and preserve, at the same time,  data confidentiality and integrity. In other words, option A is the best one to ensure  the data protection at REST for S3 and RDS  and only accessed by ECS cluster.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

Try to chat GPT Please

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

A seems right

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

Vote for A. Keywords:  “sensitive information” and “data in…”
D: only network control, can’t control data access on sensitive information.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

I did not get how does D achieves the only access from ECS cluster to S3 VPC endpoint.

  • 1rob
  • New member
  • Offline

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

A; When Only the ECS task execution role is able to encrypt and decrypt the data in the RDS and in the S3 bucket by means of the KMS key policy, you ensure that nothing else can read or modify the data.
B: this answer doesn’t state that only the ECS cluster can reach the data.
C: Creating a VPC endpoint for RDS does not mean that only the ECS cluster can reach the data
D: The S3 VPC endpoint does not guarantee that only the ECS cluster can reach the data. Also allowing a subnet to have access to the RDS sounds too open to me

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

Options A and B involve using AWS Key Management Service (AWS KMS) for encryption but do not directly address the requirement to restrict access to the ECS cluster. Option C is not the most direct approach for restricting access to the RDS database, as it focuses on the S3 bucket.

Therefore, option D is the most appropriate solution for ensuring that only the ECS cluster can access the data in the RDS for MySQL database and the data in the S3 bucket.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

C
need to restrict access from ECS cluster

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

Create a VPC endpoint for Amazon RDS for MySQL: This ensures that the ECS cluster can access the RDS database directly within the same Virtual Private Cloud (VPC), without having to go over the internet. By updating the security group to allow access only from the specific subnets that the ECS cluster will generate tasks in, you limit access to only the authorized entities.

Create a VPC endpoint for Amazon S3: This allows the ECS cluster to access the S3 bucket directly within the same VPC. By updating the S3 bucket policy to allow access only from the S3 VPC endpoint, you restrict access to the designated VPC, ensuring that only authorized resources can access the S3 bucket.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 663

I agree this will allow only resources from VPC but will not restrict only ECS cluster. I suggest we use bucket policy to use ECS cluster role on top of network settings.