ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 199 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 199
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in AWS Systems Manager Parameter
Store. When the application tries to access the secure string key value, it fails.
Which factors could be the cause of this failure? (Choose two.)

  • A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Service (AWS KMS) key used to encrypt the secret.
  • B. The EC2 instance role does not have read permissions to read the parameters in Parameter Store.
  • C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter.
  • D. The EC2 instance role does not have encrypt permissions on the AWS Key Management Service (AWS KMS) key associated with the secret.
  • E. The EC2 instance does not have any tags associated.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by DayQuil at March 12, 2021, 11:09 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 3 years, 8 months ago
A and B: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html
upvoted 16 times
CollinsWolf
3 years, 3 months ago
But with the link, there is no Decrypt call there or am I missing something ?
upvoted 1 times
CollinsWolf
3 years, 3 months ago
Oh yes, you are right. There is.
upvoted 1 times
...
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: AB
AB are the correct answers.
upvoted 1 times
...
anhtu133
1 year, 7 months ago
Selected Answer: AB
AB sure.
upvoted 1 times
...
RosenYordanov
1 year, 7 months ago
Selected Answer: BC
B. The EC2 instance role does not have read permissions to read the parameters in Parameter Store. If the EC2 instance role lacks the necessary permissions to read the parameters from Parameter Store, the application won't be able to retrieve the secure string values. C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter. If Parameter Store doesn't have the required permissions to use AWS KMS to decrypt the secure string parameter, the decryption process will fail, preventing the application from accessing the sensitive data. These issues are related to permissions, and ensuring that the EC2 instance role has the necessary read permissions on Parameter Store and decrypt permissions on the associated AWS KMS key will likely resolve the problem.
upvoted 1 times
...
epomatti
1 year, 9 months ago
Selected Answer: AB
A - Assuming a CMK was used B - Yes, access is required. C - Can't be true, as it will always have access to the AWS Managed key, and CMK is an instance permission.
upvoted 1 times
...
dcasabona
2 years, 11 months ago
Selected Answer: AB
I agree on A and B.
upvoted 1 times
...
f4bi4n
3 years, 2 months ago
Selected Answer: AB
A and B
upvoted 1 times
...
lotfi50
3 years, 4 months ago
Selected Answer: AB
A and B.
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Service (AWS KMS) key used to encrypt the secret. B. The EC2 instance role does not have read permissions to read the parameters in Parameter Store.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
A B is correct answer
upvoted 1 times
...
kiev
3 years, 8 months ago
AB for me too.
upvoted 2 times
...
DerekKey
3 years, 8 months ago
A&B - we use such solution in our case
upvoted 3 times
...
Ayusef
3 years, 8 months ago
A..and B for sure .... https://acloud.guru/forums/aws-certified-security-specialty/discussion/-LkThH4bMnlTseiGTXjM/How%20to%20allow%20EC2%20instances%20access%20to%20SSM%20Parameter%20Store%20with%20SecureString%20using%20default%20KMS%20CMK%3F
upvoted 1 times
...
sanjaym
3 years, 8 months ago
AB 100%
upvoted 2 times
...
Hudda
3 years, 8 months ago
Thank you all :)
upvoted 1 times
...
cldy
3 years, 9 months ago
A. B. ssm: getparameters & kms:decrypt are the two permissions needed.
upvoted 4 times
...
Hudda
3 years, 9 months ago
Do you have prof for A & B DayQuil ?
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel