Q56 — AWS SAA-C03 第3章
第 56/65 题 | ← 返回第3章
Q186.解决方案架构师需要安全地存储应用程序用来访问 Amazon RDS 数据库实例的数据库用户名和密码.访问数据库的应用程序在 Amazon EC2 实例上运行.解决方案架构师想要在 AWS Systems Manager Parameter Store 中创建一个安全参数.解决方案架构师应该怎么做才能满足这个要求?
- A. 创建一个对 Parameter Store 参数具有读取权限的 IAM 角色.允许解密访问用于加密参数的 AWS Key Management Service (AWS KMS) 密钥.将此 IAM 角色分配给 EC2 实例. ✓
- B. 创建允许读取参数存储参数的 IAM 策略.允许解密访问用于加密参数的 AWS Key Management Service (AWS KMS) 密钥.将此 IAM 策略分配给 EC2 实例.
- C. 在 Parameter Store 参数和 EC2 实例之间创建 IAM 信任关系.将 Amazon RDS 指定为信任策略中的委托人.
- D. 在数据库实例和 EC2 实例之间创建 IAM 信任关系.将 Systems Manager 指定为信任策略中的委托人
正确答案: A. 创建一个对 Parameter Store 参数具有读取权限的 IAM 角色.允许解密访问用于加密参数的 AWS Key Management Service (AWS KMS) 密钥.将此 IAM 角色分配给 EC2 实例.
解析
A. Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance. This option suggests creating an IAM role with read access to the secure parameter in the Parameter Store, then allowing IAM permissions for decryption of the parameter via an AWS KMS key. The IAM role should be assigned to the EC2 instance, which will allow the application running on the EC2 instance to read the parameters securely. Option B suggests creating an IAM policy, which can be attached to an IAM user or group, not an EC2 instance, and there's no guidance on how the parameters will be securely accessed by the application running on the EC2 instance. Option C suggests creating an IAM trust relationship between the parameter store and the EC2 instance, where Amazon RDS is specified as a principal in the trust policy, which doesn't address the requirement to securely store the database user name and password. Option D suggests creating an IAM trust relationship between the database instance and the EC2 instance, and specifying Systems Manager as a principal in the trust policy. This approach is not optimal for securely storing database credentials; Systems Manager is better suited for operational tasks like running scripts on instances, but it doesn't provide a way to securely store and retrieve database credentials.该选项建议创建一个对parameter Store中的secure参数具有读访问权限的IAM角色,然后允许IAM通过AWS KMS密钥对该参数进行解密。应该将IAM角色分配给EC2实例,这将允许在EC2实例上运行的应用程序安全地读取参数。选项B建议创建一个IAM策略,它可以附加到IAM用户或组,而不是EC2实例,并且没有指导如何安全地访问在EC2实例上运行的应用程序参数。选项C建议在参数存储和EC2实例之间创建IAM信任关系,其中Amazon RDS被指定为信任策略中的主体,这没有解决安全存储数据库用户名和密码的需求。选项D建议在数据库实例和EC2实例之间创建IAM信任关系,并指定system Manager作为信任策略中的主体。这种方法对于安全存储数据库凭据来说不是最优的;system Manager更适合于在实例上运行脚本等操作任务,但它不提供安全存储和检索数据库凭据的方法。