What should the Security Engineer do to meet these requirements?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances.These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance.Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.The credentials must be stored so that the EC2 instances and the Lambda functions can access them.No other access is allowed.The access logs must record when the credentials were accessed and by whom.

What should the Security Engineer do to meet these requirements?

Store the database credentials in AWS Key Management Service (AWS KMS). Create an IAM role with access to AWS KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

Store the database credentials in AWS KMS. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.

Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances and the Lambda function.

Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role’s trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

Explanations:

AWS Key Management Service (KMS) is primarily used for encryption, not for managing database credentials. KMS does not provide a secure mechanism for accessing credentials like AWS Secrets Manager does. Additionally, KMS access logs are not as detailed for tracking credential access.

Similar to Option A, AWS KMS is not suitable for storing database credentials. While KMS can be used to encrypt data, it is not designed for secure credential management like AWS Secrets Manager. Furthermore, KMS does not provide the required detailed access logs for credential usage.

Storing credentials in AWS Secrets Manager is the right approach, but this option incorrectly attaches the role to the EC2 instance profile for both EC2 instances and Lambda functions, rather than setting Lambda to use the IAM role directly. This configuration could lead to permission issues.

Storing credentials in AWS Secrets Manager provides a secure and managed solution for storing database credentials. By using an IAM role with access to Secrets Manager for both EC2 instances and Lambda functions, and setting up Lambda to use the role directly, access is correctly controlled. Secrets Manager also provides detailed access logs, meeting the requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

18 − 15 =