Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 179 discussion

CORRECT Option A To securely store a database user name and password in AWS Systems Manager Parameter Store and allow an application running on an EC2 instance to access it, the solutions architect should create an IAM role that has read access to the Parameter Store parameter and allow Decrypt access to an AWS KMS key that is used to encrypt the parameter. The solutions architect should then assign this IAM role to the EC2 instance. This approach allows the EC2 instance to access the parameter in the Parameter Store and decrypt it using the specified KMS key while enforcing the necessary security controls to ensure that the parameter is only accessible to authorized parties.

Agree with A, IAM role is for services (EC2 for example) IAM policy is more for users and groups

A all day. Don't even need to read the other answers. You can't attach a policy to EC2. You have to attach a role.

policy needs to be assigned to something so B is inaccurate CD are just made up things

Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance

CORRECT Option A

By creating an IAM role with read access to the Parameter Store parameter and Decrypt access to the associated AWS KMS key, the EC2 will have the necessary permissions to securely retrieve and decrypt the database user name and password from the Parameter Store. This approach ensures that the sensitive information is protected and can be accessed only by authorized entities. Answers B, C, and D are not correct because they do not provide a secure way to store and retrieve the database user name and password from the Parameter Store. IAM policies, trust relationships, and associations with the DB instance are not the appropriate mechanisms for securely managing sensitive credentials in this scenario. Answer A is the correct choice as it involves creating an IAM role with the necessary permissions and assigning it to the EC2 instance to access the Parameter Store securely.

A is correct

By creating an IAM role and assigning it to the EC2 instance, the application running on the EC2 instance can access the Parameter Store parameter securely without the need for hard-coding the database user name and password in the application code. The IAM role should have read access to the Parameter Store parameter and Decrypt access to an AWS KMS key that is used to encrypt the parameter to ensure that the parameter is protected at rest.

There should be the Decrypt access to KMS. "If you choose the SecureString parameter type when you create your parameter, Systems Manager uses AWS KMS to encrypt the parameter value." https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html IAM role - for EC2

A -- is correct option

Option A.

A is correct

Answer A Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance. This solution will allow the application to securely access the database user name and password stored in the parameter store.

i think policy

A. Attach IAM role to EC2 Instance https://aws.amazon.com/blogs/security/digital-signing-asymmetric-keys-aws-kms/

Attach IAM role to EC2 Instance profile