ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 239 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 239
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to deploy its web applications on containers. The web applications contain confidential data that cannot be decrypted without specific credentials.

A DevOps engineer has stored the credentials in AWS Secrets Manager. The secrets are encrypted by an AWS Key Management Service (AWS KMS) customer managed key. A Kubernetes service account for a third-party tool makes the secrets available to the applications. The service account assumes an IAM role that the company created to access the secrets.

The service account receives an Access Denied (403 Forbidden) error while trying to retrieve the secrets from Secrets Manager.

What is the root cause of this issue?

  • A. The IAM role that is attached to the EKS cluster does not have access to retrieve the secrets from Secrets Manager.
  • B. The key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key.
  • C. The key policy for the customer managed key does not allow the EKS cluster IAM role to use the key.
  • D. The IAM role that is assumed by the Kubernetes service account does not have permission to access the EKS cluster.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by xdkonorek2 at July 5, 2024, 3:45 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jojewi8143
5 days, 5 hours ago
Selected Answer: B
B seems correct to me
upvoted 1 times
...
jamesf
6 months, 1 week ago
Selected Answer: B
When a service account in Amazon EKS tries to access secrets in AWS Secrets Manager, it does so by assuming an IAM role. The permissions required to access these secrets include: - Secrets Manager permissions: The IAM role must have the necessary permissions to retrieve the secrets from AWS Secrets Manager. - KMS key permissions: The IAM role must also have permissions to use the AWS KMS key that encrypts the secrets.
upvoted 1 times
jamesf
6 months, 1 week ago
If the IAM role has the correct permissions to access Secrets Manager but still receives an "Access Denied" error, the issue is likely related to the KMS key policy. Specifically, the key policy needs to explicitly allow the IAM role to use the key for decrypting the secrets. So, the error message indicates that the key policy for the customer-managed KMS key does not include the necessary permissions for the IAM role assumed by the Kubernetes service account. Adjusting the key policy to grant the required permissions should resolve the issue.
upvoted 2 times
...
...
tgv
6 months, 3 weeks ago
---> B
upvoted 2 times
...
trungtd
6 months, 3 weeks ago
Selected Answer: B
The IAM role assumed by the Kubernetes service account, not the EKS cluster IAM role => C is wrong
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago