AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A team is utilizing AWS Secrets Manager to securely store the password for an application's database. Access to this secret is restricted to a select group of IAM principals within the AWS account. The list of principals requiring access to the secret is dynamic and changes often. A security engineer is tasked with devising a solution that ensures both flexibility and scalability in managing access to the secret. Which of the following solutions would effectively meet these criteria?
A team is utilizing AWS Secrets Manager to securely store the password for an application's database. Access to this secret is restricted to a select group of IAM principals within the AWS account. The list of principals requiring access to the secret is dynamic and changes often. A security engineer is tasked with devising a solution that ensures both flexibility and scalability in managing access to the secret. Which of the following solutions would effectively meet these criteria?
Explanation:
The correct answer is C. Using a tag-based approach provides maximum flexibility and scalability in managing access to the AWS Secret. By attaching a resource policy to the secret and applying tags to both the secret and the IAM principals, you can control access dynamically. The aws:PrincipalTag and aws:ResourceTag IAM condition keys enable fine-grained access control based on tags, making it easier to manage the frequently changing list of IAM principals requiring access. This approach is recommended as it simplifies the process and avoids the need for constant updates to IAM roles, endpoint policies, or deny-by-default policies with manual group management.