Learn how to use AWS Systems Manager Parameter Store and AWS Secrets Manager to securely store and retrieve different types of variables for your Amazon ECS applications. Find out the best practices and the benefits of using these services.
Table of Contents
Question
A developer is deploying a new application to Amazon Elastic Container Service (Amazon ECS). The developer needs to securely store and retrieve different types of variables. These variables include authentication information for a remote API, the URL for the API, and credentials. The authentication information and API URL must be available to all current and future deployed versions of the application across development, testing, and production environments.
How should the developer retrieve the variables with the FEWEST application changes?
A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment.
B. Update the application to retrieve the variables from AWS Key Management Service (AWS KMS). Store the API URL and credentials as unique keys for each environment.
C. Update the application to retrieve the variables from an encrypted file that is stored with the application. Store the API URL and credentials in unique files for each environment.
D. Update the application to retrieve the variables from each of the deployed environments. Define the authentication information and API URL in the ECS task definition as unique names during the deployment process.
Answer
A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment.
Explanation
The correct answer is A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment.
To securely store and retrieve different types of variables, the developer should use AWS Systems Manager Parameter Store and AWS Secrets Manager, which are services that help to manage secrets, such as passwords, API keys, and tokens. Parameter Store can store both plain text and encrypted values, while Secrets Manager can store and rotate secrets automatically.
The developer can update the application to retrieve the variables from Parameter Store by using the AWS SDK or CLI. The developer can use unique paths in Parameter Store for each variable in each environment, such as /dev/api-url, /test/api-url, and /prod/api-url. This way, the developer can easily organize and access the variables across different environments.
The developer can store the credentials in Secrets Manager in each environment, such as dev-credentials, test-credentials, and prod-credentials. The developer can also enable automatic rotation of the credentials by using a Lambda function or a built-in rotation template. The developer can retrieve the credentials from Secrets Manager by using the AWS SDK or CLI.
The other options are incorrect for the following reasons:
- Option B is incorrect because AWS Key Management Service (AWS KMS) is not designed for storing and retrieving variables. AWS KMS is a service that provides encryption and decryption operations using customer master keys (CMKs). AWS KMS does not store any data or secrets; it only encrypts or decrypts them using CMKs.
- Option C is incorrect because storing the variables in an encrypted file that is stored with the application is not secure or scalable. Anyone who has access to the application code or the file system can see or modify the file. The developer would also have to manage the encryption and decryption of the file manually, which can introduce errors or vulnerabilities.
- Option D is incorrect because retrieving the variables from each of the deployed environments is not consistent or reliable. The developer would have to define the authentication information and API URL in the ECS task definition as unique names during the deployment process, which can be prone to human errors or typos. The developer would also have to update the task definition every time a variable changes, which can cause downtime or configuration drift.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
