A company security team has mandated that user access to the Amazon Aurora cluster must be controlled via IAM. Which solution below implements this requirement?

Answer options:

A.Modify the Aurora cluster to enable IAM authentication. Grant rds_iam privilege to the user. Apply IAM policy that allows rds-db:connect action to the user.
B.Modify the Aurora cluster to enable IAM authentication. Create an IAM role with rds-db:connect action to the database. Use AWS STS AssumeRole API.
C.Modify the Aurora cluster to enable IAM authentication. Apply IAM policy that allows rds-db:connect action to the user. Use AWS STS GetSessionToken API.
D.Modify the Aurora cluster to enable IAM authentication. Create an Amazon Cognito User Pool. Create an IAM role with rds-db:connect action to the database. Apply Rule-based mapping to Cognito User Pool to the IAM role.

Answer: A
Option A is CORRECT because Amazon Aurora supports IAM authentication. In order to utilize this feature, the database cluster must be modified to enable IAM authentication. Then a database user must be created, and rds_iam privilege must be granted to the user. Finally, the user must have rds-db:connect IAM permissions to connect to the database. This can be granted using the IAM policy.
Option B is incorrect because STS is a web service for generating access tokens and creating temporary access to users via API. It does not enable IAM authentication to RDS and Aurora databases.
Option C is incorrect because STS is a web service for generating access tokens and creating temporary access to users via API. It does not enable IAM authentication to RDS and Aurora databases.
Option D is incorrect because Cognito is an authentication service for providing access to AWS resources to third-party external users or web and mobile apps. It does not enable and grant IAM authentication to RDS and Aurora databases.
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html