What should the solutions architect do to meet this requirement?
Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance.
Create an IAM policy that allows read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM policy to the EC2 instance.
Create an IAM trust relationship between the Parameter Store parameter and the EC2 instance. Specify Amazon RDS as a principal in the trust policy.
Create an IAM trust relationship between the DB instance and the EC2 instance. Specify Systems Manager as a principal in the trust policy.
Explanations:
This option correctly outlines the steps to securely access a parameter in AWS Systems Manager Parameter Store. Creating an IAM role with read access to the parameter and allowing Decrypt access to the KMS key ensures that the EC2 instance can securely retrieve the database credentials. Assigning the role to the EC2 instance grants the necessary permissions.
While creating an IAM policy is a necessary step, this option fails to specify how the policy would be attached to the EC2 instance. IAM policies are attached to roles or users, not directly to instances. The correct approach is to use an IAM role, as described in Option A.
This option incorrectly suggests creating a trust relationship between the Parameter Store and the EC2 instance. Trust relationships are used to allow one AWS service to assume a role, not for direct access to parameters. Therefore, this approach does not address the requirement correctly.
This option is incorrect because it misapplies trust relationships by attempting to create one between the DB instance and the EC2 instance with Systems Manager as a principal. Trust relationships do not facilitate direct parameter access in this context and are not applicable here.