exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 704 discussion

A company is using Amazon Aurora MySQL for a customer relationship management (CRM) application. The application requires frequent maintenance on the database and the Amazon EC2 instances on which the application runs. For AWS Management Console access, the system administrators authenticate against
AWS Identity and Access Management (IAM) using an internal identity provider. For database access, each system administrator has a user name and password that have previously been configured within the database.
A recent security audit revealed that the database passwords are not frequently rotated. The company wants to replace the passwords with temporary credentials using the company's existing AWS access controls.
Which set of options will meet the company's requirements?

  • A. Create a new AWS Systems Manager Parameter Store entry for each database password. Enable parameter expiration to invoke an AWS Lambda function to perform password rotation by updating the parameter value. Create an IAM policy allowing each system administrator to retrieve their current password from the Parameter Store. Use the AWS CLI to retrieve credentials when connecting to the database.
  • B. Create a new AWS Secrets Manager entry for each database password. Configure password rotation for each secret using an AWS Lambda function in the same VPC as the database cluster. Create an IAM policy allowing each system administrator to retrieve their current password. Use the AWS CLI to retrieve credentials when connecting to the database.
  • C. Enable IAM database authentication on the database. Attach an IAM policy to each system administrator's role to map the role to the database user name. Install the Amazon Aurora SSL certificate bundle to the system administrators' certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
  • D. Enable IAM database authentication on the database. Configure the database to use the IAM identity provider to map the administrator roles to the database user. Install the Amazon Aurora SSL certificate bundle to the system administrators' certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
ExtHo
Highly Voted 3 years, 1 month ago
C seems correct. passwords are not frequently rotated+AWS Secrets Manager is just a trap but actual requirement is replace the passwords with temporary credentials that C fulfill
upvoted 18 times
...
ItsmeP
Highly Voted 3 years, 2 months ago
D is correct : As company wants to replace the passwords with temporary credentials using the company existing AWS access controls. below are the steps: set up IAM database authentication using IAM roles, follow these steps: 1. Enable IAM DB authentication on the DB instance. 2. Create a database user account that uses an AWS authentication token. 3. Add an IAM policy that maps the database user to the IAM role. 4. Attach the IAM role to the EC2 instance. 5. Generate an AWS authentication token to identify the IAM role. 6. Download the SSL root certificate file or certificate bundle file. 7. Connect to the DB instance using IAM role credentials and the authentication token or an SSL certificate. https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
upvoted 16 times
Bilengh
3 years, 1 month ago
Doesn't step no. 3 mean that the answer is then C?
upvoted 10 times
...
sarah_t
3 years, 1 month ago
C, because: "To allow an IAM user or role to connect to your DB cluster, you must create an IAM policy. After that, you attach the policy to an IAM user or role." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
upvoted 8 times
...
certainly
3 years, 1 month ago
I think C sounds closer to what is described in the aws document. also D fit better with question with Idp solution. but it sounds little off for me how do you configure the database to use the IAM identity provider to map the administrator roles to the database user?
upvoted 8 times
...
Gaurav_GGG
2 years, 11 months ago
Your steps have one 3rd point about IAM policy map to IAM Role which means C is correct.
upvoted 2 times
...
...
mrgreatness
Most Recent 2 years ago
c 1000% done this myself
upvoted 1 times
...
skywalker
2 years, 2 months ago
Here is create a new account and not enroll an existing account. Thus B is the answer. If we refer to enroll an exisiting account, then A as it require to sign in with a 64bit character from the email specified during account invitation.
upvoted 1 times
...
hilft
2 years, 4 months ago
when you see rotation => secret manager B.
upvoted 2 times
marszalekm
10 months ago
"The company wants to replace the passwords with temporary credentials using the company's existing AWS access controls."
upvoted 1 times
...
...
Bigbearcn
2 years, 8 months ago
Selected Answer: C
To allow an IAM user or role to connect to your DB instance, you must create an IAM policy. After that, you attach the policy to an IAM user or role. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
upvoted 2 times
...
cldy
2 years, 11 months ago
C is correct. https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
upvoted 1 times
...
cldy
2 years, 11 months ago
C. Enable IAM database authentication on the database. Attach an IAM policy to each system administratorג€™s role to map the role to the database user name. Install the Amazon Aurora SSL certificate bundle to the system administratorsג€™ certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
upvoted 1 times
...
Liongeek
3 years ago
Ans C If you could even configure the db to use the IAM IDP to map the administrator roles... you were not only giving access to the administrator but also all the users in the IDP.
upvoted 2 times
...
andylogan
3 years, 1 month ago
It's C - IAM policy with temporary credentials
upvoted 2 times
...
student22
3 years, 1 month ago
C - Correct A,B - Wrong: Retrieves password D - Not sure if IDP can be used this way. C sounds better.
upvoted 2 times
...
DerekKey
3 years, 1 month ago
C correct- https://aws.amazon.com/blogs/big-data/federate-database-user-authentication-easily-with-iam-and-amazon-redshift/ D wrong
upvoted 1 times
...
Coffeinerd
3 years, 1 month ago
A and B are wrong: it does not address the use of temporary credentials and using existing company controls. It will just rotate existing credentials but not use temporary ones. C and D are in the fight... from a technical perspective D would be better BUT I could not find any doc that explains how to leverage an IdP with IAM DB Auth, so I would go for C as it follows the current process to grant an IAM user DB rights. CCC!
upvoted 1 times
...
tgv
3 years, 1 month ago
CCC ---
upvoted 1 times
...
Sur272
3 years, 1 month ago
why A is not correct?
upvoted 1 times
Viper57
3 years ago
Because the question states the company wants to replace the passwords with temporary credentials using the company's existing AWS access controls. Option A means the they would still rely on storing their password rather than using temp credentials.
upvoted 1 times
...
...
Suresh108
3 years, 1 month ago
Going with CCCCC. Probable C and D, eliminated D due to Identity provider
upvoted 1 times
...
denccc
3 years, 1 month ago
it's D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...