ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Database - Specialty All Questions

View all questions & answers for the AWS Certified Database - Specialty exam
Go to Exam

Exam AWS Certified Database - Specialty topic 1 question 7 discussion

Exam question from Amazon's AWS Certified Database - Specialty
Question #: 7
Topic #: 1
[All AWS Certified Database - Specialty Questions]

A clothing company uses a custom ecommerce application and a PostgreSQL database to sell clothes to thousands of users from multiple countries. The company is migrating its application and database from its on-premises data center to the AWS Cloud. The company has selected Amazon EC2 for the application and Amazon RDS for PostgreSQL for the database. The company requires database passwords to be changed every 60 days. A Database Specialist needs to ensure that the credentials used by the web application to connect to the database are managed securely.
Which approach should the Database Specialist take to securely manage the database credentials?

  • A. Store the credentials in a text file in an Amazon S3 bucket. Restrict permissions on the bucket to the IAM role associated with the instance profile only. Modify the application to download the text file and retrieve the credentials on start up. Update the text file every 60 days.
  • B. Configure IAM database authentication for the application to connect to the database. Create an IAM user and map it to a separate database user for each ecommerce user. Require users to update their passwords every 60 days.
  • C. Store the credentials in AWS Secrets Manager. Restrict permissions on the secret to only the IAM role associated with the instance profile. Modify the application to retrieve the credentials from Secrets Manager on start up. Configure the rotation interval to 60 days.
  • D. Store the credentials in an encrypted text file in the application AMI. Use AWS KMS to store the key for decrypting the text file. Modify the application to decrypt the text file and retrieve the credentials on start up. Update the text file and publish a new AMI every 60 days.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by chicagomassageseeker at July 7, 2020, 7:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
chicagomassageseeker
Highly Voted 3 years, 8 months ago
Answer C.
upvoted 24 times
...
novice_expert
Highly Voted 3 years, 1 month ago
Selected Answer: C
Secret Manager -> rotation 60 days ->Secret access to IAM roles for instance only -> Apps refer Secret manager to get pwd on startup
upvoted 5 times
...
Pranava_GCP
Most Recent 1 year, 8 months ago
Selected Answer: C
C. Store the credentials in AWS Secrets Manager. Restrict permissions on the secret to only the IAM role associated with the instance profile. Modify the application to retrieve the credentials from Secrets Manager on start up. Configure the rotation interval to 60 days https://aws.amazon.com/secrets-manager/
upvoted 2 times
...
kerl
1 year, 10 months ago
now the answer is B,https://repost.aws/knowledge-center/users-connect-rds-iam, "If your application is running on Amazon Elastic Compute Cloud (Amazon EC2), then you can use your EC2 instance profile credentials to access the database. You don't need to store database passwords on your instance." and "Authentication tokens have a lifespan of 15 minutes, so you don't need to enforce password resets." meet the question criteria. C no longer best practice.
upvoted 2 times
...
Balki
2 years, 11 months ago
Selected Answer: C
If people think of B, the only reason they should move away from it is, IAM DB Authentication tokens can be valid only for 15 mins. Answer is C
upvoted 2 times
...
amitkhurana
3 years, 1 month ago
Selected Answer: C
Answer C.
upvoted 2 times
...
RotterDam
3 years, 3 months ago
Selected Answer: C
Obviously C. How do the owners allow 80% wrong answers and not correct them?
upvoted 3 times
...
tugboat
3 years, 3 months ago
Selected Answer: C
secret manager
upvoted 2 times
...
Raj12131
3 years, 5 months ago
B seems to be right choice. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
upvoted 1 times
Jiang_aws1
2 years, 8 months ago
X B. Create IAM role then grant to user , not create "IAM user"
upvoted 1 times
...
...
GMartinelli
3 years, 6 months ago
Selected Answer: C
Option C
upvoted 2 times
...
Anuragdba
3 years, 7 months ago
C: Why most of answer is wrong ? this is not right way .
upvoted 1 times
...
Anuragdba
3 years, 7 months ago
C . Store the credentials in AWS Secrets Manager
upvoted 1 times
...
aws4myself
3 years, 7 months ago
C ==> for centralised credentials management with auto rotation
upvoted 2 times
...
guru_ji
3 years, 7 months ago
C ==>> Correct Answer.
upvoted 1 times
...
Dr_Kiko
3 years, 7 months ago
C I cannot believe how easy the question is!
upvoted 1 times
...
Billhardy
3 years, 7 months ago
Answer C
upvoted 1 times
...
LMax
3 years, 7 months ago
Answer C
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel