AWS Certified Developer - Associate
Get started today
Ultimate access to all questions.
You are tasked with constructing a fleet of EBS-optimized EC2 instances to manage the load for a new application. Given the necessity for security compliance within your organization, it is crucial that any secret strings utilized in the application are encrypted to avoid the exposure of plain text values.
The solution demands that decryption events must be auditable, and the API calls should remain simple. What are the two methods to achieve this? (select two)
You are tasked with constructing a fleet of EBS-optimized EC2 instances to manage the load for a new application. Given the necessity for security compliance within your organization, it is crucial that any secret strings utilized in the application are encrypted to avoid the exposure of plain text values.
The solution demands that decryption events must be auditable, and the API calls should remain simple. What are the two methods to achieve this? (select two)
Explanation:
Store the secret as SecureString in SSM Parameter Store
With AWS Systems Manager Parameter Store, you can create SecureString parameters, which are parameters that have a plaintext parameter name and an encrypted parameter value. Parameter Store uses AWS KMS to encrypt and decrypt the parameter values of Secure String parameters. Also, if you are using customer-managed CMKs, you can use IAM policies and key policies to manage to encrypt and decrypt permissions. To retrieve the decrypted value you only need to do one API call.