Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam DBS-C01 Topic 1 Question 97 Discussion

Actual exam question for Amazon's DBS-C01 exam
Question #: 97
Topic #: 1
[All DBS-C01 Questions]

A database specialist needs to enable IAM authentication on an existing Amazon Aurora PostgreSQL DB cluster. The database specialist already has modified the DB cluster settings, has created IAM and database credentials, and has distributed the credentials to the appropriate users.

What should the database specialist do next to establish the credentials for the users to use to log in to the DB cluster?

Show Suggested Answer Hide Answer
Suggested Answer: B

Correct Answer: B

Explanation from Amazon documents:

Amazon Aurora PostgreSQL supports IAM authentication, which is a method of using AWS Identity and Access Management (IAM) to manage database access. IAM authentication allows you to use IAM users and roles to control who can access your Aurora PostgreSQL DB cluster, instead of using a traditional database username and password. IAM authentication also provides more security by using temporary credentials that are automatically rotated.

To enable IAM authentication on an existing Aurora PostgreSQL DB cluster, the database specialist needs to do the following :

Modify the DB cluster settings to enable IAM database authentication. This can be done using the AWS Management Console, the AWS CLI, or the RDS API.

Create IAM and database credentials for each user who needs access to the DB cluster. The IAM credentials consist of an access key ID and a secret access key. The database credentials consist of a database username and an optional password. The IAM credentials and the database username must match.

Distribute the IAM and database credentials to the appropriate users. The users must keep their credentials secure and not share them with anyone else.

Run the generate-db-auth-token command with the user names to generate a temporary password for the users. This command is part of the AWS CLI and it generates an authentication token that is valid for 15 minutes. The authentication token is a string that has the same format as a password. The users can use this token as their password when they connect to the DB cluster using a SQL client.

Therefore, option B is the correct solution to establish the credentials for the users to use to log in to the DB cluster. Option A is incorrect because adding the users' IAM credentials to the Aurora cluster parameter group is not necessary or possible. A cluster parameter group is a collection of DB engine configuration values that define how a DB cluster operates. Option C is incorrect because adding the users' IAM credentials to the default credential profile and using the AWS Management Console to access the DB cluster is not supported or secure. The default credential profile is a file that stores your AWS credentials for use by AWS CLI or SDKs. The AWS Management Console does not allow you to connect to an Aurora PostgreSQL DB cluster using IAM authentication. Option D is incorrect because using an AWS Security Token Service (AWS STS) token by sending the IAM access key and secret key as headers to the DB cluster API endpoint is not supported or secure. AWS STS is a service that enables you to request temporary, limited-privilege credentials for IAM users or federated users. The DB cluster API endpoint is an endpoint that allows you to perform administrative actions on your DB cluster using RDS API calls.


Contribute your Thoughts:

Louann
14 days ago
Ah, the good old `generate-db-auth-token` command. The Swiss Army knife of database authentication solutions.
upvoted 0 times
...
Marica
15 days ago
Option B all the way! Better than trying to remember a million IAM credentials. Just generate that token and let's get this show on the road.
upvoted 0 times
...
Charlena
16 days ago
I'm just gonna go with Option B and call it a day. Who needs complicated solutions when you can have a temporary password, am I right?
upvoted 0 times
...
Martha
23 days ago
Using an AWS STS token by sending the IAM access key and secret key as headers to the DB cluster API endpoint? That's a bit too complicated for my liking.
upvoted 0 times
Paris
1 days ago
C) Add the users' IAM credentials to the default credential profile, Use the AWS Management Console to access the DB cluster.
upvoted 0 times
...
Reiko
13 days ago
B) Run the generate-db-auth-token command with the user names to generate a temporary password for the users.
upvoted 0 times
...
Karima
15 days ago
A) Add the users' IAM credentials to the Aurora cluster parameter group.
upvoted 0 times
...
...
Felix
29 days ago
I think option D is not the best choice, sending access keys as headers could pose security risks.
upvoted 0 times
...
Javier
1 months ago
I believe option A could also work, adding IAM credentials to the parameter group.
upvoted 0 times
...
Lawana
1 months ago
I'm not sure why we would need to add the IAM credentials to the Aurora cluster parameter group or the default credential profile. Seems like overkill.
upvoted 0 times
Mozell
6 days ago
B) Run the generate-db-auth-token command with the user names to generate a temporary password for the users.
upvoted 0 times
...
An
17 days ago
A) Add the users' IAM credentials to the Aurora cluster parameter group.
upvoted 0 times
...
...
Delila
1 months ago
Option B sounds like the way to go. Generating a temporary password with the `generate-db-auth-token` command seems like the easiest solution.
upvoted 0 times
...
Ludivina
1 months ago
I agree with Novella, generating a temporary password seems like the right way to go.
upvoted 0 times
...
Novella
2 months ago
I think the database specialist should choose option B.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77