AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A solutions architect needs to securely store a database user name and password that an application uses to access an Amazon RDS DB instance. The application that accesses the database runs on an Amazon EC2 instance. The solutions architect wants to create a secure parameter in AWS Systems Manager Parameter Store. What should the solutions architect do to meet this requirement?
Other
Community
UAnonymous
A
Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance.
B
Create an IAM policy that allows read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM policy to the EC2 instance.
C
Create an IAM trust relationship between the Parameter Store parameter and the EC2 instance. Specify Amazon RDS as a principal in the trust policy.
D
Create an IAM trust relationship between the DB instance and the EC2 instance. Specify Systems Manager as a principal in the trust policy.
Explanation:
Explanation
Correct Answer: A
Why Option A is Correct:
-
IAM Role for EC2 Instance: EC2 instances should use IAM roles (not IAM policies directly attached) to access AWS services. IAM roles provide temporary credentials that are automatically rotated, which is more secure than using long-term access keys.
-
Read Access to Parameter Store: The application needs to retrieve the database credentials from Parameter Store, so the role must have
ssm:GetParameterpermission. -
KMS Decrypt Permission: When using a secure parameter (encrypted with KMS), the application also needs
kms:Decryptpermission on the KMS key used to encrypt the parameter. Without this permission, the EC2 instance cannot decrypt the stored credentials. -
Role Assignment: The IAM role should be attached to the EC2 instance profile, allowing the application running on the instance to assume the role and access the secured parameter.
Why Other Options are Incorrect:
Option B: While the policy permissions are correct, IAM policies cannot be directly assigned to EC2 instances. Policies must be attached to IAM roles, which are then assigned to EC2 instances via instance profiles.
Option C: This is incorrect because:
- Parameter Store parameters are not IAM entities that can have trust relationships
- Trust relationships are for IAM roles, not parameters
- Amazon RDS as a principal doesn't make sense in this context
Option D: This is incorrect because:
- DB instances cannot have IAM trust relationships
- Trust relationships are for IAM roles, not RDS instances
- Systems Manager as a principal doesn't address the EC2 instance's need to access the parameter
Best Practice Implementation:
// IAM Role Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:region:account-id:parameter/your-parameter-name"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:region:account-id:key/key-id"
}
]
}
// IAM Role Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:region:account-id:parameter/your-parameter-name"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:region:account-id:key/key-id"
}
]
}
Security Benefits:
- No hardcoded credentials in application code or configuration files
- Automatic credential rotation through IAM roles
- Encryption at rest using KMS
- Fine-grained access control through IAM policies
- Audit trail through CloudTrail logging of Parameter Store access
Comments
Loading comments...