Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 704 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 704
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is using Amazon Aurora MySQL for a customer relationship management (CRM) application. The application requires frequent maintenance on the database and the Amazon EC2 instances on which the application runs. For AWS Management Console access, the system administrators authenticate against
AWS Identity and Access Management (IAM) using an internal identity provider. For database access, each system administrator has a user name and password that have previously been configured within the database.
A recent security audit revealed that the database passwords are not frequently rotated. The company wants to replace the passwords with temporary credentials using the company's existing AWS access controls.
Which set of options will meet the company's requirements?

  • A. Create a new AWS Systems Manager Parameter Store entry for each database password. Enable parameter expiration to invoke an AWS Lambda function to perform password rotation by updating the parameter value. Create an IAM policy allowing each system administrator to retrieve their current password from the Parameter Store. Use the AWS CLI to retrieve credentials when connecting to the database.
  • B. Create a new AWS Secrets Manager entry for each database password. Configure password rotation for each secret using an AWS Lambda function in the same VPC as the database cluster. Create an IAM policy allowing each system administrator to retrieve their current password. Use the AWS CLI to retrieve credentials when connecting to the database.
  • C. Enable IAM database authentication on the database. Attach an IAM policy to each system administrator's role to map the role to the database user name. Install the Amazon Aurora SSL certificate bundle to the system administrators' certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
  • D. Enable IAM database authentication on the database. Configure the database to use the IAM identity provider to map the administrator roles to the database user. Install the Amazon Aurora SSL certificate bundle to the system administrators' certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
by sek12324 at March 15, 2021, 2:47 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
ExtHo
Highly Voted 2 years, 11 months ago
C seems correct. passwords are not frequently rotated+AWS Secrets Manager is just a trap but actual requirement is replace the passwords with temporary credentials that C fulfill
upvoted 18 times
...
ItsmeP
Highly Voted 3 years ago
D is correct : As company wants to replace the passwords with temporary credentials using the company existing AWS access controls. below are the steps: set up IAM database authentication using IAM roles, follow these steps: 1. Enable IAM DB authentication on the DB instance. 2. Create a database user account that uses an AWS authentication token. 3. Add an IAM policy that maps the database user to the IAM role. 4. Attach the IAM role to the EC2 instance. 5. Generate an AWS authentication token to identify the IAM role. 6. Download the SSL root certificate file or certificate bundle file. 7. Connect to the DB instance using IAM role credentials and the authentication token or an SSL certificate. https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
upvoted 16 times
Bilengh
2 years, 12 months ago
Doesn't step no. 3 mean that the answer is then C?
upvoted 10 times
...
sarah_t
2 years, 11 months ago
C, because: "To allow an IAM user or role to connect to your DB cluster, you must create an IAM policy. After that, you attach the policy to an IAM user or role." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
upvoted 8 times
...
certainly
2 years, 12 months ago
I think C sounds closer to what is described in the aws document. also D fit better with question with Idp solution. but it sounds little off for me how do you configure the database to use the IAM identity provider to map the administrator roles to the database user?
upvoted 8 times
...
Gaurav_GGG
2 years, 9 months ago
Your steps have one 3rd point about IAM policy map to IAM Role which means C is correct.
upvoted 2 times
...
...
mrgreatness
Most Recent 1 year, 11 months ago
c 1000% done this myself
upvoted 1 times
...
skywalker
2 years ago
Here is create a new account and not enroll an existing account. Thus B is the answer. If we refer to enroll an exisiting account, then A as it require to sign in with a 64bit character from the email specified during account invitation.
upvoted 1 times
...
hilft
2 years, 2 months ago
when you see rotation => secret manager B.
upvoted 2 times
marszalekm
8 months ago
"The company wants to replace the passwords with temporary credentials using the company's existing AWS access controls."
upvoted 1 times
...
...
Bigbearcn
2 years, 6 months ago
Selected Answer: C
To allow an IAM user or role to connect to your DB instance, you must create an IAM policy. After that, you attach the policy to an IAM user or role. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
upvoted 2 times
...
cldy
2 years, 9 months ago
C is correct. https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
upvoted 1 times
...
cldy
2 years, 10 months ago
C. Enable IAM database authentication on the database. Attach an IAM policy to each system administratorג€™s role to map the role to the database user name. Install the Amazon Aurora SSL certificate bundle to the system administratorsג€™ certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
upvoted 1 times
...
Liongeek
2 years, 10 months ago
Ans C If you could even configure the db to use the IAM IDP to map the administrator roles... you were not only giving access to the administrator but also all the users in the IDP.
upvoted 2 times
...
andylogan
2 years, 11 months ago
It's C - IAM policy with temporary credentials
upvoted 2 times
...
student22
2 years, 11 months ago
C - Correct A,B - Wrong: Retrieves password D - Not sure if IDP can be used this way. C sounds better.
upvoted 2 times
...
DerekKey
2 years, 11 months ago
C correct- https://aws.amazon.com/blogs/big-data/federate-database-user-authentication-easily-with-iam-and-amazon-redshift/ D wrong
upvoted 1 times
...
Coffeinerd
2 years, 11 months ago
A and B are wrong: it does not address the use of temporary credentials and using existing company controls. It will just rotate existing credentials but not use temporary ones. C and D are in the fight... from a technical perspective D would be better BUT I could not find any doc that explains how to leverage an IdP with IAM DB Auth, so I would go for C as it follows the current process to grant an IAM user DB rights. CCC!
upvoted 1 times
...
tgv
2 years, 11 months ago
CCC ---
upvoted 1 times
...
Sur272
2 years, 11 months ago
why A is not correct?
upvoted 1 times
Viper57
2 years, 11 months ago
Because the question states the company wants to replace the passwords with temporary credentials using the company's existing AWS access controls. Option A means the they would still rely on storing their password rather than using temp credentials.
upvoted 1 times
...
...
Suresh108
2 years, 11 months ago
Going with CCCCC. Probable C and D, eliminated D due to Identity provider
upvoted 1 times
...
denccc
2 years, 11 months ago
it's D
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel