Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 554 discussion

The answer is C A - you simply don't do that. No credentials in templates B - for such sensitive data you should use Secrets Manager not Parameters Store C - looks right, aside of everything else, EC2 can assume a role D - it is possible to associate EC2 instance with role but not with the user

The company does not want to maintain static DB credentials so both A and B are out

Key word "To deploy the EC2 instances and Aurora DB cluster, the business used an AWS Cloud Formation template". "The business does not want to keep track of static database credentials", "LEAST amount of operational effort" Answer A: Meet the requirement. The rest need additional effort and support.

Not B coz it uses username and password.

First, Automatically exclude A,B - no reason to use username/password when you can use IAM, and forget what anyone says, we CAN indeed use IAM for DB, even if the exact DB is not specified in this question https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html And it is not D, cause it doesnt sound logical to associate a user with an instance. So the only correct option for me here is C

First, Automatically exclude A,B - no reason to use username/password when you can use IAM, and forget what anyone says, we CAN indeed use IAM for DB, even if the exact DB is not specified in this question https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html And it is not D, cause it doesnt sound logical to associate a user with an instance. So the only correct option for me here is C

Answer is C : IAM database authentication method With IAM database authentication method, you don't need to use a password when you connect to a DB cluster. Instead, you use an authentication token. You don't need to store user credentials in the database, because authentication is managed externally using IAM. For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

Answer is B, You can NOT use IAM for data base AUTHENTICATION

"You can use the SecureString parameter type for textual data that you want to encrypt, such as passwords, application secrets, confidential configuration data, or any other types of data that you want to protect." https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/

IAM is always safer option than using some kind of credentials.

C Obviously

this should be B, as directly stated in AWS docs SSM parameter store can be used for passwords (and can be encrypted) and is usable with DB connections. C is for me out because it describes the process of using roles directly attached to EC2, but at the same time describing using IAM user for DB connection (which can be done) which are 2 completely different approaches.

A is correct. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/deploying.applications.html

Should be B

C, here is why https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security. Since the you can only associate roles to the EC2 instances, D is out. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html

We gathered ABCD... I am not sure about this, maybe C?