Which solution will meet these requirements?
Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the shared secrets. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
Explanations:
AWS Resource Access Manager (AWS RAM) can share certain resources, but AWS Secrets Manager does not support sharing secrets directly through AWS RAM. Additionally, the solution lacks the necessary IAM role assumption between accounts, making it inadequate for cross-account access.
This solution correctly creates a role in the application account that allows the DBA account to assume it. This way, the database administrators can access the secrets without manual sharing. The cross-account role assumption is properly structured, enabling secure access to the secrets from the EC2 instance in the DBA account.
While it correctly mentions creating a role and granting access to the default AWS managed key, it does not facilitate cross-account access to the secrets as it relies on resource-based policies for the key rather than for the secrets themselves. AWS Secrets Manager requires specific permissions to access secrets, which are not sufficiently addressed here.
The solution proposes using a Service Control Policy (SCP) to grant access to the secrets, which is not appropriate for controlling access to AWS Secrets Manager resources. SCPs manage permissions at the account level and do not directly grant permissions to access AWS resources like Secrets Manager secrets. Therefore, it does not meet the requirement of eliminating manual sharing of secrets.
I gauge that the answer is:
In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.