Q73 — AWS DOP-C02 Ch.3

Question 73 of 100 | ← Chapter 3

A large enterprise is deploying a web application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer. These instances run in an Auto Scaling group spanning multiple Availability Zones. The application stores data in an Amazon RDS Oracle database instance and Amazon DynamoDB. Separate environments exist for development, testing, and production.

Correct Answer: B. Launch EC2 instances with an EC2 IAM role to access AWS services. Retrieve database credentials from AWS Secrets Manager.

Explanation

Option B is the most secure and flexible method. Launching EC2 instances with an EC2 IAM role to access AWS services ensures instances operate within required permissions, enhancing security and permission management flexibility. Retrieving database credentials from AWS Secrets Manager better protects sensitive database credentials, preventing accidental exposure or unauthorized access. Other options present security risks or reduced flexibility: Option A retrieves access keys from Systems Manager SecureString, which is less flexible than IAM roles. Option C retrieves access keys from plaintext parameters, posing significant security risk. Option D stores database passwords in an encrypted configuration file alongside application artifacts, which is less secure and flexible than retrieving them dynamically from Secrets Manager. Therefore, Option B is correct.