Exam AWS Certified Solutions Architect - Professional topic 1 question 43 discussion

I would go with C

C is option making some sense. However it should be ACM for certificates. KMS is for keys

C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.

The ec2 create the certificate that includes its instanceid put unsigned certificate into sns and the customer key management system poll sns for new request and sign the certificate. This is not AWS kms but a customer key system so it could be written to poll requests

The second time I read this question, I believe the answer should B. A. instance-id is randomly generated by amazon internal algorithm, you can't get all possible instance-id in advance before you start an instance. So A is out. C. "Have the Key management service generate a signed certificate" is apparently wrong. Still don't know why people don't notice it. KMS only does encryptions/decryptions, for x 509 certificate , you need ACM to generate. D " upon first boot" I suspect whether you can get instance-id in booting time via script in user data and " Have the Key management service poll the Auto Scaling group" looks strange to me, as far as I know, it seems no poll function from KMS.

I don't understand how C can be correct. KMS can not generate x509 certificate ! it should be acm!

Another question that Sucks! Not only configurations needed with Option C, I think it may need some programming work or even your Key management service cannot send it to EC2.

Same as cannottellname and TechX

Answer: C Explanation: The certificate must be signed by the customers key management service and this is the only option. Using S3 wont have it unique, embedding in AMI wont make it unique, Generating a new certificate by itself would defeat the requirement of getting it signed by customers key management service. A – Accessing from S3 was fine but how can the file be unique when every time autoscaling generates different instances and instance-id.. Thats not predictable B – Embedding a certificate in AMI cannot make the certificate unique. D – As the EC2 instances must generate unique X.509 certificate and this must be specific to the instance id. The EC2 instance can generate the certificate itself BUT it is clearly mentioned that the certificate must be signed by the customers key management service and not self signed.

Option C Just to be clear, this question doesn't talk about AWS KMS but a customer's key management service (something like internal Certificate Authority). The requirement asks about unique certificate to be assigned for each EC2 instance. A, B doesn't guarantee a unique certificate. D doesn't make sense as CA won't poll for a CSR (Certificate Signining Request) and Sign it. This leaves with Option C which is possible with SNS alerting the customer's key management service or CA with details about instance-id and CA can generate a Certificate, Sign It and send back to the associated instance. Saw a comment that AWS SNS doesn't send notification to KMS which is correct as KMS service is not integrated with SNS but the question is about Customer's Key Management Service and not AWS KMS. AFAIK, AWS KMS doesn't deal with X509 SSL certificates. It only deals with Cryptographic Keys

C is correct , A & B not handling to generate cert with instance-id.

I understand why B can't be the answer, since the very first request violates the policy. But how does the Key management service send signed certificate directly to the newly launched instance?

How does SNS send notifications to KMS?

To meet the requirements, It has to be C. A. Not unique for each instance. B. First request is too insecure. D. New instance may not have unique certificate before the first request

Cant be 'C'. KMS doesnt generate certificates, ACM does.

C is correct

Answer is B. When an EC2 instance that is started communicates with the Trusted Customer managed KMS service, it can use client ID and client secret to send the Certificate Signature request.