Q41 — AWS SAP-C02 Ch.1

Question 41 of 75 | ← Chapter 1

Q116. A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts. In an AWS application account, the company's application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization.The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed in the application account.The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets.Which solution will meet these requirements?

Correct Answer: B. In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin.Grant the DBA-Admin role the reguired permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets

Explanation

To implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets, the following steps should be taken: B. In the application account, create an IAM role that is named DBA-Secret: This role will have the required permissions to access the secrets stored in AWS Secrets Manager in the application account. Grant the DBA-Secret role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin: This role will be used by the database administrators to assume the DBA-Secret role in the application account. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance in the DBA account for access to the cross-account secrets. Explanation: Option A is incorrect because using AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account does not address the requirement of eliminating the need to manually share the secrets. Additionally, it does not provide a solution for the database administrators to access the secrets. Option C is incorrect because creating an IAM role in the DBA account and granting it access to the secrets and the default AWS managed key in the application account does not provide a mechanism for the database administrators to assume that role and access the secrets. Option D is incorrect because creating an IAM role in the DBA account and granting it access to the secrets in the application account, and attaching a Service Control Policy (SCP) to the application account to allow access from the DBA account, does not provide a mechanism for the database administrators to assume a role and access the secrets. Therefore, the correct solution is B: In the application account, create an IAM role named DBA-Secret, grant it the required permissions to access the secrets. In the DBA account, create an IAM role named DBA-Admin, grant it the required permissions to assume the DBA-Secret role in the application account, and attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.