Which combination of steps should a security engineer implement to grant appropriate access?

A developer is building a serverless application hosted on AWS that uses Amazon Redshift as a data store The application has separate modules for readwrite and read-only functionality The modules need their own database users for compliance reasons

Which combination of steps should a security engineer implement to grant appropriate access? (Select TWO.)
A . Configure cluster security groups for each application module to control access to database users that are required for read-only and readwrite
B . Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write
C . Configure an 1AM policy for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call
D . Create local database users for each module
E . Configure an 1AM policy for each module Specify the ARN of an 1AM user that allows the GetClusterCredentials API call

View Answer

Answer: C D

Explanation:

Option A: Configuring cluster security groups is more about network-level access control, not about controlling access at the user or role level in the database which is required here.

Option B: Configuring a VPC endpoint with an endpoint policy for Amazon Redshift primarily controls network-level access to Redshift clusters. It doesn’t map database users to application modules at a user/role level, which is the requirement in the scenario described.

Option E: Specifying the ARN of an IAM user in the IAM policy for GetClusterCredentials API call isn’t the usual practice and can potentially create security risks as it might be providing broad permissions to IAM users.

Therefore, options C and D are the appropriate steps to grant the necessary access as per the given scenario.