ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 317 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 317
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company's source code repository.
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead.
Which solution meets these requirements?

  • A. Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
  • B. Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
  • C. Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
  • D. Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by roger8978 at Jan. 1, 2022, 9:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
argol
Highly Voted 3 years, 6 months ago
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task definition or RunTask API operation. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services. "D"
upvoted 13 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
Correct answer is D.
upvoted 1 times
...
captainpike
1 year, 11 months ago
Selected Answer: D
D. However, I believe inline policy would be better here. The problem is the wording of the option "Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only." It should have said "Use an IAM inline policy for the ECS task IAM Role.." the way the option was stated, it seems that you are creating an inline policy for the ECS task which is not possible.
upvoted 2 times
captainpike
1 year, 11 months ago
Why I think inline policy is better in this situation ? because of this https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies "inline policies maintain a strict one-to-one relationship between a policy and an identity. They are deleted when you delete the identity. " If you use the IAM role with managed policy, in theory, it's possible for db admins, by other means, use the policy somewhere else and gain access, and the questions states "to prevent database administrators from sharing database credentials as plaintext with other teammates". Maybe I am being too picky.
upvoted 1 times
...
...
Toptip
2 years, 1 month ago
Selected Answer: D
D for me
upvoted 1 times
...
awsec2
2 years, 6 months ago
The solution that meets these requirements is option B: Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only. AWS Secrets Manager is a service that makes it easier to manage secrets, such as database credentials. Secrets Manager rotates secrets automatically, eliminating the need for manual rotation and reducing the risk of human error. Additionally, Secrets Manager provides secure, encrypted storage for secrets, ensuring that they are not stored in plaintext.
upvoted 1 times
...
vbal
2 years, 10 months ago
Anyone, why not inline policy?
upvoted 3 times
...
sapien45
2 years, 11 months ago
Selected Answer: D
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
upvoted 1 times
...
Sec101
3 years, 4 months ago
The answer is C: Reason: Both D and C are the correct choices however, C is a cheaper choice. The question asks to reduce admin cost
upvoted 1 times
ccieman2016
3 years, 3 months ago
man, parameter store don't support automatic rotation, because it, D is correct.
upvoted 3 times
...
rodolfo2020
3 years, 4 months ago
Its Correct and obviously
upvoted 1 times
...
...
Radhaghosh
3 years, 5 months ago
Correct Option is Option D Combination of AWS Secrets Manager + ECS task Role
upvoted 1 times
...
roger8978
3 years, 6 months ago
D. I think. the application should assume a role to access the credentials.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel