An online grocery delivery application uses credentials saved in AWS Secrets Manager while accessing data from the Amazon RDS database. The Security Team is planning to initiate a secret rotation of credentials for the Amazon RDS database. For networking readiness, they are seeking your suggestions for a successful complete rotation of secrets.
Which of the following statements are TRUE with regards to networking requirements for rotating Secrets? (Select TWO.)

Answer options:

A.AWS CloudFormation template for Lambda rotation function will determine the accessibility of the database & will create Lambda function outside the VPC.B.Lambda rotation function should communicate with the Amazon Secrets manager over the internet using NAT Instance.
C.AWS CloudFormation template for Lambda rotation function will determine accessibility of database & will create Lambda function in the same VPC.D.Lambda rotation function should communicate with the Amazon Secrets manager over the internet using NAT Gateway.
E.Lambda rotation function should communicate with the Amazon Secrets manager over Secrets Manager service endpoints.

Correct Answers: C and E
Lambda Rotation Function used for AWS Secrets Manager is created using AWS CLoudFormation. To rotate secret, the Lambda rotation function should be able to communicate with the database and Amazon Secrete Manager. In the above case, since the database runs in a VPC, the CloudFormation template for the Lambda rotation function will create the Lambda function in the same VPC. This will ensure communication between Lambda functions & databases occurs locally within the VPC. Amazon Secrets Manager is placed in the public domain, so to communicate Lambda functions in a VPC to Amazon Secrets Manager, Secrets Manager service endpoints can be used to ensure the traffic is over the AWS network and not over the Internet.
Option A is incorrect as CloudFormation Template for Lambda rotation function creates Lambda function in the same VPC as that of the database, not outside VPC. Outside VPC will not ensure communication between Lambda functions & databases occurs locally within the VPC.Options B & D are incorrect as Amazon Service Manager resides in the public network. Service Manager service endpoint is preferred over NAT instance / NAT Gateway as with this traffic is over AWS network instead of using the internet.
For more information on AWS Secrets Manager network requirements for Secrets Rotation, refer to the following URL,
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotation-network-rqmts.html