Q56 — AWS SAA-C03 Ch.3

Question 56 of 65 | ← Chapter 3

Q186. A solutions architect needs to securely store a database user name and password that an application uses to access an Amazon RDS DB instance. The application that accesses the database runs on an Amazon EC2 instance. The solutions architect wants to create a secure parameter in AWS Systems Manager Parameter Store.What should the solutions architect do to meet this requirement?

Correct Answer: A. Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter.Assign this IAM role to the EC2 instance.

Explanation

A. Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance. This option suggests creating an IAM role with read access to the secure parameter in the Parameter Store, then allowing IAM permissions for decryption of the parameter via an AWS KMS key. The IAM role should be assigned to the EC2 instance, which will allow the application running on the EC2 instance to read the parameters securely. Option B suggests creating an IAM policy, which can be attached to an IAM user or group, not an EC2 instance, and there's no guidance on how the parameters will be securely accessed by the application running on the EC2 instance. Option C suggests creating an IAM trust relationship between the parameter store and the EC2 instance, where Amazon RDS is specified as a principal in the trust policy, which doesn't address the requirement to securely store the database user name and password.