ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 117 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 117
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

  • A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
  • B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
  • C. Configure automatic rotation of credentials in AWS Secrets Manager.
  • D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
  • E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
by luis12345 at March 16, 2020, 8:57 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
RaySmith
Highly Voted 3 years, 9 months ago
I am thinking CE. D is talking about SSM param store, but C is about secret manager.
upvoted 20 times
...
ChauPhan
Highly Voted 3 years, 8 months ago
Parameter Store can't rotate the credentials, only Secret Manager has this option So CE.
upvoted 6 times
...
ITGURU51
Most Recent 2 years, 2 months ago
CE is the best option. The Java application needs to know when the secrets have been rotated to satisfy the business requirement.
upvoted 2 times
...
dcasabona
2 years, 11 months ago
Selected Answer: CE
Secrets manager hands the situation.
upvoted 2 times
...
MoreOps
3 years, 2 months ago
Selected Answer: CE
C and E, SSM Sec' Manager + instance automatically pulling upon failure sounds like the best solution to me
upvoted 2 times
...
DerekKey
3 years, 8 months ago
How C&D together can be correct if they use a different mechanism to store credentials?
upvoted 2 times
...
Daniel76
3 years, 8 months ago
CE C: Use Secrets Manager to auto-rotate and need not worry about downtime. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html E: the application needs to autodetect the change so it reduces downtime due to human turnaround time. P/S You only need to use Systems Manager Parameter Store to point to Secrets Manager only if it is due to proprietary issue. https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html
upvoted 1 times
...
continent34
3 years, 8 months ago
CE is correct. Use either Systems Manager Parameter Store or Secrets Manager; if you use one no need for the other. B causes downtime if the application needs restart so it's incorrect.
upvoted 1 times
...
Larsson
3 years, 8 months ago
CE. Can't be D because you have either secrets manager or parameter store, not both. Catch exception you can do anyway, CE doesn't rule that out.
upvoted 1 times
...
Zia842
3 years, 8 months ago
Additional Reference : https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html
upvoted 1 times
...
Zia842
3 years, 8 months ago
Answer CD Reference : https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html Option E is illogical on connection failure going and fetching updated credentials
upvoted 1 times
Huy
3 years, 8 months ago
Actually D is illogical? If you have a wrong credentials, the exception is connection failure and E is correct. D doesn't mention store the secret with parameter neither how to minimize downtime.
upvoted 1 times
...
Kdosec
3 years, 8 months ago
If you read carefully all answers, you see that C is Secret Manager and D is Parameter Store, you can't use both services in the same case. So, we must use only Secret Manager and the answers are C,E
upvoted 1 times
...
...
DanMuniz
3 years, 8 months ago
C and E!
upvoted 1 times
...
PeppaPig
3 years, 8 months ago
C&E secret manger + application exception handler Only E addresses the requirement of "minimize downtime"
upvoted 4 times
...
sunnybunny
3 years, 9 months ago
CD seems correct https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-rotate-credentials-amazon-rds-database-types-oracle/
upvoted 1 times
...
rdy4u
3 years, 9 months ago
C/E: AWS Secrets Manager Duplicated with New Q12
upvoted 1 times
...
awssecuritynewbie
3 years, 9 months ago
Parameter store does not auto rotate RDS creds
upvoted 3 times
sunnybunny
3 years, 9 months ago
you can auto rotate https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-rotate-credentials-amazon-rds-database-types-oracle/
upvoted 1 times
scuzzy2010
3 years, 8 months ago
I think you are confusing parameter store with secrets manager. https://acloudguru.com/blog/engineering/an-inside-look-at-aws-secrets-manager-vs-parameter-store "Where AWS Secrets Manager begins to win the day is the ability to automatically rotate secrets."
upvoted 1 times
...
...
...
awssecuritynewbie
3 years, 9 months ago
the other reason it is CD is because the failure is almost automatic configure the Java application to catch a connection failure
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel