ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 11 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 11
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.
The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.
What should the Security Engineer do to meet these requirements?

  • A. Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
  • B. Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
  • C. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.
  • D. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by BillyC at Aug. 25, 2019, 5:18 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
INASR
Highly Voted 3 years, 7 months ago
D for sure correct . A & B are wrong because you do not store credentials in AWS-KMS . C is wrong because you do not attach EC2 instance profile to lamda function, you attach only to EC2 instance.
upvoted 50 times
Lunga
3 years, 6 months ago
\I agree with this answer - was about to type same. D is correct
upvoted 3 times
...
ITGURU51
1 year, 11 months ago
Secrets Manager uses a Lambda function to rotate the secret for a secured service or database.
upvoted 1 times
...
...
BillyC
Highly Voted 3 years, 7 months ago
D i think is correct
upvoted 16 times
...
jlggross
Most Recent 9 months, 3 weeks ago
First, for credentials (secrets / passwords) you should use Secrets Manager. AWS KMS is for encryption keys. Second, you cannot attach an instance profile to a Lambda function. D is the correct answer.
upvoted 1 times
...
cumzle_com
10 months, 3 weeks ago
Selected Answer: D
D for sure correct
upvoted 1 times
...
Raphaello
1 year, 2 months ago
Selected Answer: D
D is correct.
upvoted 1 times
...
Benah
1 year, 7 months ago
D for me. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.
upvoted 1 times
...
ITGURU51
1 year, 11 months ago
The IAM execution role for the Lambda function is a necessary to be able to rotate the credentials. D
upvoted 1 times
...
luis12345
2 years, 4 months ago
D! You do not attach an instance profile to a Lambda function, but allows the function to access the role while executing
upvoted 2 times
...
gg12345
2 years, 5 months ago
Selected Answer: D
D - Seems to be the best answer.
upvoted 1 times
...
jj22222
3 years, 4 months ago
Selected Answer: D
D looks right
upvoted 1 times
...
Mikeclue
3 years, 6 months ago
D. all day. C: is wrong "Attach the instance profile to the EC2 instances and the Lambda function"
upvoted 3 times
...
sanjaym
3 years, 6 months ago
Ans: D 100%
upvoted 3 times
...
devjava
3 years, 6 months ago
Ans > D
upvoted 3 times
...
AfricanCloudGuru
3 years, 6 months ago
Ans(D) Because the Lambda has the execution role
upvoted 3 times
...
thePerfect
3 years, 6 months ago
C is wrong D is correct :" Lambda execution role " keyword
upvoted 1 times
...
PeppaPig
3 years, 6 months ago
C is wrong simply because the secret string in SSM also requires KMS permissions in your IAM roles
upvoted 1 times
...
RajeshNayyar
3 years, 6 months ago
KMS can not be used to store passwords or secrets, correct answer is D'
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago