ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 130 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 130
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A Security Engineer discovers that this sensitive information is viewable by people who should not have access to it.
What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

  • A. Store the scripts in the AMI and encrypt the sensitive data using AWS KMS Use the instance role profile to control access to the KMS keys needed to decrypt the data.
  • B. Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
  • C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
  • D. Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after execution.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by awssecuritynewbie at March 18, 2020, 10:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 3 years, 6 months ago
The answer is B , you can use: aws ssm get-parameter --name MyParameter --with-decryption https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
upvoted 24 times
sapien45
2 years, 8 months ago
Excellent answer, Removed. You will be missed. To decrypt the parameter value before returning it, set the WithDecryption parameter of GetParameter to true. When you use WithDecryption, Parameter Store calls the AWS KMS Decrypt operation on your behalf to decrypt the parameter value. As a result, the GetParameter request returns the parameter with a plaintext parameter value, as shown in the following example. $ aws ssm get-parameter --name MyParameter --with-decryption { "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value": "secret_value" } } https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
upvoted 1 times
...
...
Raphaello
Most Recent 1 year, 2 months ago
Selected Answer: B
B is the answer. SSM parameter store.
upvoted 1 times
...
ITGURU51
2 years ago
AWS Systems Manager Parameter Store can be used to encrypt sensitive data. The answer is B.
upvoted 1 times
...
Bosch123
2 years, 7 months ago
In Practical scenario Option 'C' is used. A user data script is a set of executable text provided with all necessary secret within it. Imagine a password is needed in the script and would you store that value in secret manager, retrieve it runtime, replace the value in the script.. is it not over engineering? Just because AWS Secret manager and KMS is available, does not mean it needs to be used anywhere.
upvoted 1 times
...
bobsmith2000
2 years, 7 months ago
For me it's C. A - never bake secrets into an Ami B - the encrypting key i isn't specified. If it's aws managed default key, them anyone can see the plain text from aws console of from the instance itself (did to instance role). Moreover no mentions of lot deletion. C - KMS adds another layer of security of who can access the data from s3 console. I'm addition all logs are deleted. D - red herring
upvoted 3 times
...
bobsmith2000
2 years, 8 months ago
Selected Answer: C
Why not C? With B anyone on an EC2 instance may use aws cli to get ssm parameter. With C it's not stored or accessible by anyone.
upvoted 3 times
...
dcasabona
2 years, 9 months ago
Selected Answer: B
Option B.
upvoted 1 times
...
TigerInTheCloud
3 years ago
Selected Answer: B
B is a better answer than A Someone prefers B for the reason of kms:decrypt permission. Howevefr, the default aws/ssm key policy Sid mentions "Allow access through SSM for all principals in the account that are authorized to use SSM" (through kms:ViaService condition). I test and confirm the ssm:GetParameters or ssm:GetParameter is enough. Be careful the difference of the two permissions :-)
upvoted 2 times
...
ceros399
3 years, 1 month ago
Selected Answer: B
B is the only possible answer
upvoted 1 times
...
Radhaghosh
3 years, 3 months ago
B is the most close option (although kms:Decrypt is missing)
upvoted 1 times
...
NivNZ
3 years, 5 months ago
Selected Answer: B
Ref: https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-encrypt "To decrypt the parameter value before returning it, set the WithDecryption parameter of GetParameter to true. When you use WithDecryption, Parameter Store calls the AWS KMS Decrypt operation on your behalf to decrypt the parameter value. As a result, the GetParameter request returns the parameter with a plaintext parameter value" Example: aws ssm get-parameter --name MyParameter --with-decryption
upvoted 2 times
...
DerekKey
3 years, 5 months ago
B - this is what we do when autoscaling starts new instance
upvoted 2 times
...
sanjaym
3 years, 5 months ago
B for sure.
upvoted 3 times
...
Hungdv
3 years, 6 months ago
B is answer
upvoted 4 times
...
gobble
3 years, 6 months ago
so we try to choose between A and B. for B, 2 issues. it is called SecureString. there is no such thing called encrypted string parameter. . 2nd issue is that GetParameters permission is not enough, instance role need kms:decrypt as well. for A, not good idea to store script inside AMI, hard to update. However, it is workable solution. I will go with A.
upvoted 2 times
rhinozD
3 years, 5 months ago
No, If you don't use CMK, you don't need to have kms:decrypt in instance role. Just: aws ssm get-parameter --name MyParameter --with-decryption B is the answer.
upvoted 4 times
Radhaghosh
3 years, 3 months ago
without KMS how are you doing encrypt/decrypt?
upvoted 1 times
...
...
...
Larsson
3 years, 6 months ago
None of the options are good. If you leave encrypted data on a volume it could become possible to decrypt it with new technology in a few years. And if you let the machine use the data and then delete it, it could still be in the RAM available for any program in the machine's RAM memory.
upvoted 1 times
...
cldy
3 years, 6 months ago
A. For B you also need kms decrypt permission.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago