ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 974 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 974
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts.

In an AWS application account, the company's application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed in the application account.

The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets.

Which solution will meet these requirements?

  • A. Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the shared secrets. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
  • B. In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
  • C. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
  • D. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by nyunyu at Dec. 16, 2022, 10:18 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
nyunyu
Highly Voted 2 years, 5 months ago
Selected Answer: B
Correct BB
upvoted 7 times
...
DiaaCloud
Most Recent 1 year, 8 months ago
There is an issue in this question. The secrets is encrypted by default AWS managed key which cannot share with other accounts. need to be CMK (not default to be shared)
upvoted 1 times
...
rsn
1 year, 9 months ago
Selected Answer: A
Answer explained above
upvoted 1 times
vn_thanhtung
1 year, 9 months ago
https://docs.aws.amazon.com/ram/latest/userguide/shareable.html I don't think so, RAM can not sharing AWS Secrets Manager
upvoted 1 times
...
...
rsn
1 year, 9 months ago
I feel B is not correct. There is no mention of setting up a trust policy in the role (in application account) that allows DBA account to assume this role. Without this, the solution propose in B cannot work. I feel the answer is A
upvoted 1 times
...
wendy_abigail
1 year, 11 months ago
Selected Answer: B
B - it is literally this blog https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/ not C because it's not possible to edit key policy for AWS managed KMS key
upvoted 1 times
...
Jesuisleon
2 years ago
Selected Answer: C
B is apparently WRONG. DBA-Secret role doesn't have permission to access to AWS managed key, how could B address "eliminates the need to manually share the secrets" ?
upvoted 1 times
Jesuisleon
2 years ago
pls. ignore C, the correct answer is B. IN C we can't set DBA-Admin the permissions in application account. We need a role in application account have repective permissions and let DBA-Admin assume role in application account. B is right.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel