Which combination of steps will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company deploys an application on on-premises devices in the company’s on-premises data center.The company uses an AWS Direct Connect connection between the data center and the company’s AWS account.During initial setup of the on-premises devices and during application updates, the application needs to retrieve configuration files from an Amazon Elastic File System (Amazon EFS) file system.All traffic from the on-premises devices to Amazon EFS must remain private and encrypted.The on-premises devices must follow the principle of least privilege for AWS access.The company’s DevOps team needs the ability to revoke access from a single device without affecting the access of the other devices.

Which combination of steps will meet these requirements?

(Choose two.)

Create an IAM user that has an access key and a secret key for each device. Attach the AmazonElasticFileSystemFullAccess policy to all IAM users. Configure the AWS CLI on the on-premises devices to use the IAM user’s access key and secret key.

Generate certificates for each on-premises device in AWS Private Certificate Authority. Create a trust anchor in IAM Roles Anywhere that references an AWS Private CA. Create an IAM role that trust IAM Roles Anywhere. Attach the AmazonElasticFileSystemClientReadWriteAccess to the role. Create an IAM Roles Anywhere profile for the IAM role. Configure the AWS CLI on the on-premises devices to use the aws_signing_helper command to obtain credentials.

Create an IAM user that has an access key and a secret key for all devices. Attach the AmazonElasticFileSystemClientReadWriteAccess policy to the IAM user. Configure the AWS CLI on the on-premises devices to use the IAM user’s access key and secret key.

Use the amazon-efs-utils package to mount the EFS file system.

Use the native Linux NFS client to mount the EFS file system.

Explanations:

Using IAM users with access keys for each device does not follow the principle of least privilege, and it would be difficult to revoke access for a single device without affecting others.

IAM Roles Anywhere with unique certificates for each device allows the principle of least privilege and makes it easy to revoke access from a single device by removing its certificate or IAM role association.

Sharing one IAM user’s access key across all devices is not secure, as it doesn’t follow the principle of least privilege, and individual device access cannot be managed separately.

The amazon-efs-utils package provides secure, encrypted mounting options (such as TLS) for Amazon EFS, meeting the requirement for encrypted, private connections between on-premises devices and EFS.

The native Linux NFS client does not support encrypted connections to Amazon EFS. It would not meet the requirement for traffic to remain encrypted.

2025-10-10

1 Comment

  1. Douglas
    Author

    I scheme that the answer is:
    Generate certificates for each on-premises device in AWS Private Certificate Authority. Create a trust anchor in IAM Roles Anywhere that references an AWS Private CA. Create an IAM role that trust IAM Roles Anywhere. Attach the AmazonElasticFileSystemClientReadWriteAccess to the role. Create an IAM Roles Anywhere profile for the IAM role. Configure the AWS CLI on the on-premises devices to use the aws_signing_helper command to obtain credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + seventeen =