A team is utilizing AWS Secrets Manager to securely store the password for an application's database. Access to this secret is restricted to a select group of IAM principals within the AWS account. The list of principals requiring access to the secret is dynamic and changes often. A security engineer is tasked with devising a solution that ensures both flexibility and scalability in managing access to the secret. Which of the following solutions would effectively meet these criteria?

Exam-Like

Implement a role-based strategy by establishing an IAM role with an inline policy granting access to the secret. Modify the role's trust policy to include or exclude IAM principals as needed.

16.7%

Set up a VPC endpoint for Secrets Manager and configure an endpoint policy to list the IAM principals authorized to access the secret. Adjust the list of principals in the endpoint policy as the access requirements change.

16.7%

Adopt a tag-based strategy by applying a resource policy to the secret. Assign relevant tags to both the secret and the IAM principals. Utilize the aws:PrincipalTag and aws:ResourceTag condition keys within IAM policies to manage access based on these tags.

66.7%

Employ a deny-by-default strategy using IAM policies to explicitly deny access to the secret. Attach these policies to an IAM group and include all IAM principals in this group. Remove principals from the group when they require access and re-add them when access is no longer needed.

0.0%

AWS Certified Security - Specialty

Get started today

Comments