SCS-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

SCS-C01 Exam - Question 11

An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, AWS Lambda functions must issue queries to the RDS database by using the same database credentials.

The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must record when the credentials were accessed and by whom.

What should the Security Engineer do to meet these requirements?

Show Answer
Correct Answer: D

The correct approach for securely storing and managing database credentials on AWS is to use AWS Secrets Manager, which is specifically designed for storing and rotating database credentials and other secrets. AWS Key Management Service (KMS) is primarily used for encryption key management, not for storing credentials. To allow EC2 instances and Lambda functions to access the credentials in Secrets Manager, you must create an IAM role with permissions to access Secrets Manager and configure it in the respective EC2 instance profile and Lambda execution role. This setup ensures that only the designated services can access the stored credentials, meeting the requirement for restricted access and logging access events.

Discussion

17 comments
Sign in to comment
INASR
Sep 28, 2021

D for sure correct . A & B are wrong because you do not store credentials in AWS-KMS . C is wrong because you do not attach EC2 instance profile to lamda function, you attach only to EC2 instance.

Lunga
Oct 28, 2021

\I agree with this answer - was about to type same. D is correct

ITGURU51
May 17, 2023

Secrets Manager uses a Lambda function to rotate the secret for a secured service or database.

BillyC
Sep 20, 2021

D i think is correct

AfricanCloudGuru
Oct 30, 2021

Ans(D) Because the Lambda has the execution role

devjava
Oct 30, 2021

Ans > D

sanjaym
Oct 31, 2021

Ans: D 100%

Mikeclue
Nov 6, 2021

D. all day. C: is wrong "Attach the instance profile to the EC2 instances and the Lambda function"

luis12345
Jan 3, 2023

D! You do not attach an instance profile to a Lambda function, but allows the function to access the role while executing

RajeshNayyar
Oct 19, 2021

KMS can not be used to store passwords or secrets, correct answer is D'

PeppaPig
Oct 19, 2021

C is wrong simply because the secret string in SSM also requires KMS permissions in your IAM roles

thePerfect
Oct 26, 2021

C is wrong D is correct :" Lambda execution role " keyword

jj22222Option: D
Dec 28, 2021

D looks right

gg12345Option: D
Nov 11, 2022

D - Seems to be the best answer.

ITGURU51
May 17, 2023

The IAM execution role for the Lambda function is a necessary to be able to rotate the credentials. D

Benah
Sep 12, 2023

D for me. Store the database credentials in AWS Secrets Manager. Create an IAM role with access to Secrets Manager by using the EC2 and Lambda service principals in the role's trust policy. Add the role to an EC2 instance profile. Attach the instance profile to the EC2 instances. Set up Lambda to use the new role for execution.

RaphaelloOption: D
Mar 6, 2024

D is correct.

cumzle_comOption: D
Jun 16, 2024

D for sure correct

jlggross
Jul 16, 2024

First, for credentials (secrets / passwords) you should use Secrets Manager. AWS KMS is for encryption keys. Second, you cannot attach an instance profile to a Lambda function. D is the correct answer.