ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 91 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 91
Topic #: 1
[All AWS Certified Security - Specialty Questions]

The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?

  • A. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
  • B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.
  • C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
  • D. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by duduga40 at Sept. 7, 2019, 6:56 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
NANDY666
Highly Voted 3 years, 6 months ago
B is Correct
upvoted 17 times
...
Ayusef
Highly Voted 3 years, 6 months ago
Its clearly B. If you said anything other then that on this one you need to go back to the basics. Granted some of the questions are tricky but this isn't one. Not try to insult anyone but this is a easy one.
upvoted 9 times
Harryhero
3 years, 6 months ago
How B. is addressing this requirement- Have the EC2 instances bootstrapped to connect to a backend database.
upvoted 3 times
grekh001
3 years, 6 months ago
None of the answers address the bootstrapping requirement. So we have to assume that the requirement is met outside of these answers. Then we can focus on meeting the other two requirements of securely providing access to the creds and logging access. Answer: B
upvoted 7 times
...
...
...
luccabastos
Most Recent 11 months, 2 weeks ago
Selected Answer: B
B: Secure and logged
upvoted 1 times
...
anhtu133
1 year, 5 months ago
Remember best practice: In CloudFormation: database passwords is always store in AWS Systems Manager Parameter Store
upvoted 1 times
...
G4Exams
2 years ago
Selected Answer: B
Most efficient is definitely B (parameter store)
upvoted 1 times
...
Ell89
2 years, 2 months ago
Selected Answer: B
B 100%
upvoted 1 times
...
zeeke
2 years, 3 months ago
Should be a TWO answer question, answers are B & D
upvoted 2 times
...
sanjaym
3 years, 6 months ago
Ans: B 100%
upvoted 6 times
...
kalzht00
3 years, 7 months ago
B for sure
upvoted 1 times
...
devjava
3 years, 7 months ago
Ans > B
upvoted 1 times
...
AfricanCloudGuru
3 years, 7 months ago
Ans (B)
upvoted 1 times
...
triplej
3 years, 7 months ago
I think C is the answer - https://aws.amazon.com/blogs/security/how-to-protect-the-integrity-of-your-encrypted-data-by-using-aws-key-management-service-and-encryptioncontext/ EncryptionContext provides three benefits: Additional authenticated data (AAD) Audit trail Authorization context
upvoted 1 times
skipbaylessfor3
3 years, 6 months ago
This info and link has almost no relevance to the question
upvoted 1 times
...
...
[Removed]
3 years, 7 months ago
B is what they're looking for here
upvoted 1 times
...
Aum
3 years, 7 months ago
B is mostly correct, but it failed to mention permission to Decrypt secure string also. It just said access
upvoted 1 times
...
RakeshTaninki
3 years, 7 months ago
B is correct
upvoted 1 times
...
cloudprincipal
3 years, 7 months ago
B is correct
upvoted 1 times
...
henry76
3 years, 7 months ago
B? How about the logging requirement ?
upvoted 2 times
Bach999
3 years, 7 months ago
https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudtrail-logs.html Maybe logging will be done via System Manager.
upvoted 1 times
...
ramozo
3 years, 6 months ago
CloudTrail does that. https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago