Exam SCS-C01 All QuestionsBrowse all questions from this exam
Go to Exam
Question 11

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.

The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.

What should the Security Engineer do to meet these requirements?

    Correct Answer: D

    The correct approach for securely storing and managing database credentials on AWS is to use AWS Secrets Manager, which is specifically designed for storing and rotating database credentials and other secrets. AWS Key Management Service (KMS) is primarily used for encryption key management, not for storing credentials. To allow EC2 instances and Lambda functions to access the credentials in Secrets Manager, you must create an IAM role with permissions to access Secrets Manager and configure it in the respective EC2 instance profile and Lambda execution role. This setup ensures that only the designated services can access the stored credentials, meeting the requirement for restricted access and logging access events.

Discussion
INASR

D for sure correct . A & B are wrong because you do not store credentials in AWS-KMS . C is wrong because you do not attach EC2 instance profile to lamda function, you attach only to EC2 instance.

Lunga

\I agree with this answer - was about to type same. D is correct

ITGURU51

Secrets Manager uses a Lambda function to rotate the secret for a secured service or database.

BillyC

D i think is correct

Mikeclue

D. all day. C: is wrong "Attach the instance profile to the EC2 instances and the Lambda function"

sanjaym

Ans: D 100%

devjava

Ans > D

AfricanCloudGuru

Ans(D) Because the Lambda has the execution role

luis12345

D! You do not attach an instance profile to a Lambda function, but allows the function to access the role while executing

jlggross

First, for credentials (secrets / passwords) you should use Secrets Manager. AWS KMS is for encryption keys. Second, you cannot attach an instance profile to a Lambda function. D is the correct answer.

cumzle_comOption: D

D for sure correct

RaphaelloOption: D

D is correct.

Benah

D for me. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

ITGURU51

The IAM execution role for the Lambda function is a necessary to be able to rotate the credentials. D

gg12345Option: D

D - Seems to be the best answer.

jj22222Option: D

D looks right

thePerfect

C is wrong D is correct :" Lambda execution role " keyword

PeppaPig

C is wrong simply because the secret string in SSM also requires KMS permissions in your IAM roles

RajeshNayyar

KMS can not be used to store passwords or secrets, correct answer is D'