ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 131 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 131
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts.

In an AWS application account, the company’s application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed m the application account.

The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets.

Which solution will meet these requirements?

  • A. Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the shared secrets. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
  • B. In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets
  • C. In the DBA account create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
  • D. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:42 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
bititan
Highly Voted 1 year, 8 months ago
Selected Answer: B
Follow below link. It has both option to be used for this scenarios. But default kms key can not be used so B https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/
upvoted 15 times
...
Sarutobi
Highly Voted 1 year, 6 months ago
Selected Answer: B
Although I think B is the best, it is missing to mention of the trust policy in the application account.
upvoted 6 times
ninomfr64
9 months, 3 weeks ago
Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. This sounds like a trust policy to me
upvoted 1 times
...
...
ninomfr64
Most Recent 9 months, 3 weeks ago
Selected Answer: B
A = Secret is not a RAM sharable resource. But who can recall this full list? Thus my reasoning is, I would expect more details for sharing via RAM like enable AWS Org sharing, assign permission (actions allowed on the shared resource) and select the external principal. B = correct see https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/ C = cannot cross-account access AWS managed KMS key as you do not have control on key policy D = SCP can only remove permissions. Even tough an SCP doesn't prevent you from accessing a secret, you still need to have IAM user permission and/or resource based policy in place to actually access
upvoted 4 times
...
horyoryo
10 months, 3 weeks ago
option b
upvoted 1 times
...
career360guru
10 months, 3 weeks ago
Selected Answer: B
Option B
upvoted 1 times
...
bjexamprep
11 months, 1 week ago
Selected Answer: B
Even B is the best answer among all the options, actually B is not correct. Without permission to access the KMS key, B cannot decrypt the secret.
upvoted 2 times
bjexamprep
8 months ago
I was wrong. It is using AWS managed default encryption key, so it doesn't need the permission to access KMS key. The flaw of B is trust relationship policy.
upvoted 1 times
...
...
severlight
12 months ago
Selected Answer: B
the Secrets Manager keys cannot be shared with RAM, key policy(resource policy) for the default KMS key managed by AWS cannot be changed, role is identity and can be granted access to assume other role
upvoted 1 times
...
rlf
1 year ago
Answer is B. Option A is wrong. AWS RAM can not share AWS Secrets Manager ( see shareable resources in https://docs.aws.amazon.com/ram/latest/userguide/shareable.html )
upvoted 3 times
...
uC6rW1aB
1 year, 2 months ago
Selected Answer: A
Both Option A and Option B give repository administrators access to the repository and eliminate the need to manually share secrets. Option A is a relatively simple process of sharing secrets with AWS RAM and setting up an IAM role within the DBA account. Option B requires creating an IAM role in two different AWS accounts and setting cross-account permissions, which is a more complicated process. So, while both A and B accomplish the goal, option A is simpler and more straightforward.
upvoted 1 times
chikorita
1 year, 2 months ago
who said we can share secrets using RAM?? i just checked under RAM and allowed sharable AWS services AWS Secrets Manager is NOT one of those Answer is B
upvoted 4 times
...
...
venvig
1 year, 2 months ago
Selected Answer: B
As several people have highlighted, we refer to the blog https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/ Want to provide the following comment to emphasize why "C" is NOT even possible. In Option C, its mentioned that the default AWS Managed CMK is used by the secrets manager. We cannot provide any custom permissions to the AWS Managed CMK and by extension, its not possible to allow cross account access to it. So, only Option B is valid.
upvoted 1 times
...
NikkyDicky
1 year, 4 months ago
Selected Answer: B
its a b
upvoted 1 times
...
Jackhemo
1 year, 5 months ago
Guys, you want to know the right answer? Copy paste the whole question to olabiba.ai The answer is B
upvoted 1 times
...
OCHT
1 year, 6 months ago
Selected Answer: A
Option A is the correct answer because it meets the requirement of giving the database administrators access to the database and eliminates the need to manually share the secrets. AWS Resource Access Manager (AWS RAM) enables you to share AWS resources with other accounts within your organization or organizational units (OUs) in AWS Organizations. By using AWS RAM to share the secrets from the application account with the DBA account, you can eliminate the need for manual sharing of secrets. Option B involves creating an IAM role in the application account and another IAM role in the DBA account. The DBA-Admin role in the DBA account would need to assume the DBA-Secret role in the application account to access the secrets. This approach adds complexity and does not eliminate the need for manual sharing of secrets. In summary, Option A is a simpler and more efficient solution that meets the requirements.
upvoted 2 times
Maria2023
1 year, 4 months ago
I couldn't find any option to share Secret Manager resources via RAM, did anyone try it?
upvoted 4 times
...
...
dev112233xx
1 year, 7 months ago
Selected Answer: B
B is correct, D doesn't make sense! SCP doesn't give any permission.. it just defines what can be allowed. you still need an IAM role/policy
upvoted 2 times
...
mfsec
1 year, 7 months ago
Selected Answer: B
B is the best choice
upvoted 2 times
...
DWsk
1 year, 7 months ago
Selected Answer: B
Has to be B because C is not possible. I get that you can't share access to the default KMS key, but how does it work to share access through a cross account role? How does the role in the DBA account decrypt the secrets that are encrypted by the default key if the role doesn't have permissions to that key?
upvoted 4 times
...
kiran15789
1 year, 8 months ago
Selected Answer: B
cross account assume role
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago