Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 210 discussion

https://aws.amazon.com/cn/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/

SSM RunCommand is the only solution that can actually replace the keys on EC2 instances.

Not sure why you would need to “invoke an AWS Lambda function to generate new key pairs” when Secrets Manager natively supports automatic key rotation? Anyways, A seems to be the least worst answer.

https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/

@duriselvan ==> How did you arrive at "Automatic key rotation" from "key rotation policy that will, upon request B. Parameter Store: While Parameter Store can store keys, it's not designed for automated key rotation. It would require manual configuration and orchestration. C. AWS KMS: KMS is designed for managing encryption keys, not SSH key pairs. It doesn't support the rotation of SSH key pairs on EC2 instances. D. Fleet Manager: Fleet Manager, while facilitating management tasks on EC2 instances, doesn't intrinsically handle key rotation. It would require integration with other services and custom scripts.

C ans Automatic key rotation: AWS KMS automatically rotates keys according to the configured schedule, eliminating the need for manual intervention and ensuring timely key updates. Less than 1 minute downtime: AWS KMS allows for seamless key rotation with minimal downtime. The old key remains active until the new key is generated and propagated, ensuring uninterrupted access to instances. Secure storage: AWS KMS provides a highly secure and encrypted environment for storing cryptographic keys, exceeding the security offered by Parameter Store. Lambda function integration: The EventBridge rule can trigger a Lambda function to perform additional tasks during key rotation, such as updating user access controls or notifying administrators.

Torn between A and D. I don't like the do-it-yourself nature (Lambda) of A, but I understand what everyone is saying about the unique key requirement, which would seem to imply that D is wrong. Don't know tbh.

Option A

A will work, don't overthink, you can request secret rotation in the Secrets manager, and secrets will be stored in a safe place

D is best option if we need to rotate for all Ec2 with same key pair. Since each EC2 to have a different Key pair, will be better to store in Secrets Manager and have that rotated using lambda.

I think the Systems Manager maintenance window is to perform some potentially disruptive actions, which means the duration of the window is equal to system downtime. and I check the white paper, I seems the duration of system maintenance window should be longer than 1 hour.

Seriously, all. While it can be done in A, it's better to do that with D. Here is why: Question says: "A company has Linux-based Amazon EC2 instances." and "Each machine requires a unique EC2 key pair." We might be talking about thousands of EC2 instances. But let's continue. Option A says: "Store all the keys in AWS Secrets Manager." which is OK, you can store up to 500,000 apparently but, seriously, think about. Instances are generated and deleted all the time. This would be cumbersome, even if you do that programmatically. Not convinced? Let me continue.

a-a-a-a-a-a-a-a

A: Based on the Well Architecting Framework for best Practices and that tutorial :) https://aws.amazon.com/de/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/

Why A? Select D

going with A

as someone pointed out D breaks the requirement for unique keys