Data Security and Governance I
Explore how to secure data in AWS by managing credentials, setting fine-grained access controls, implementing encryption with key rotation, and ensuring auditability. Understand practical solutions for handling sensitive data in services like Lambda, Redshift, Athena, and S3 across multi-account environments to meet security requirements and compliance.
We'll cover the following...
Question 55
A data engineering team has deployed an AWS Lambda function that processes sensitive customer data from an Amazon S3 bucket and writes transformed results to Amazon Redshift. The Lambda function currently uses hardcoded database credentials in environment variables. The security team requires credentials to be rotated automatically every 30 days without application downtime.
Which solution meets these requirements with the least operational overhead?
A. Migrate the credentials to AWS Systems Manager Parameter Store using SecureString parameters. Create an Amazon EventBridge rule that triggers a Lambda function every 30 days to update the parameter value and manually rotate the Redshift credentials.
B. Store the database credentials in AWS Secrets Manager. Configure automatic rotation with a 30-day rotation schedule using the built-in Redshift rotation Lambda function. Update the data processing Lambda function to retrieve credentials from Secrets Manager at runtime.
C. Continue using environment variables, but implement a CI/CD pipeline that updates the Lambda function configuration with new credentials every 30 days. Use AWS CodePipeline to automate deployments.
D. Configure IAM database authentication for the Amazon Redshift cluster. Assign an ...