Which of the following is the MOST efficient way to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:-Have the EC2 instances bootstrapped to connect to a backend database.-Ensure that the database credentials are handled securely.-Ensure that retrievals of database credentials are logged.

Which of the following is the MOST efficient way to meet these requirements?

Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.

Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Explanations:

Passing database credentials as CloudFormation stack parameters does not secure them effectively. Even if the property is set to true to make them secure, it doesn’t log retrievals of these parameters. Logging to CloudWatch Logs does not ensure secure handling of credentials.

Storing database passwords in AWS Systems Manager Parameter Store using SecureString parameters provides strong encryption at rest. Setting the IAM role for the EC2 instance allows it to access these parameters securely, and AWS CloudTrail automatically logs access to these parameters, fulfilling the logging requirement.

Persisting the database password in Amazon S3, even with server-side encryption, is not the most efficient or secure method for handling sensitive credentials. Additionally, S3 does not automatically log access to objects without additional configurations. Retrieving the password from S3 introduces more complexity and potential vulnerabilities.

Using a UserData script to pass database credentials may expose them in the instance’s metadata. While it allows for logging to CloudWatch Logs, it lacks the secure handling and encryption capabilities that AWS Systems Manager Parameter Store provides. Logging script invocations does not guarantee that the credentials are securely managed.

2025-10-02

1 Comment

  1. Sharon
    Author

    I reckon the answer is:
    Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − 6 =