Learn how to implement a solution to store and retrieve access tokens for your application on Amazon EC2 instances. Find out how to use AWS services to encrypt and access the access tokens from other AWS accounts with minimal management overhead.
Table of Contents
Question
company is implementing an application on Amazon EC2 instances. The application needs to process incoming transactions. When the application detects a transaction that is not valid, the application must send a chat message to the company’s support team. To send the message, the application needs to retrieve the access token to authenticate by using the chat API.
A developer needs to implement a solution to store the access token. The access token must be encrypted at rest and in transit. The access token must also be accessible from other AWS accounts.
Which solution will meet these requirements with the LEAST management overhead?
A. Use an AWS Systems Manager Parameter Store SecureString parameter that uses an AWS Key Management Service (AWS KMS) AWS managed key to store the access token. Add a resource-based policy to the parameter to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Parameter Store. Retrieve the token from Parameter Store with the decrypt flag enabled. Use the decrypted access token to send the message to the chat.
B. Encrypt the access token by using an AWS Key Management Service (AWS KMS) customer managed key. Store the access token in an Amazon DynamoDB table. Update the IAM role of the EC2 instances with permissions to access DynamoDB and AWS KMS. Retrieve the token from DynamoDDecrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the message to the chat.
C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
D. Encrypt the access token by using an AWS Key Management Service (AWS KMS) AWS managed key. Store the access token in an Amazon S3 bucket. Add a bucket policy to the S3 bucket to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Amazon S3 and AWS KMS. Retrieve the token from the S3 bucket. Decrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the massage to the chat.
Answer
C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
Explanation
The correct answer is C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
Here is a detailed explanation:
- Option A is not a valid solution because it uses an AWS KMS AWS managed key instead of a customer managed key. An AWS managed key is a key that is created and managed by AWS on behalf of the user. A customer managed key is a key that is created and managed by the user. Using a customer managed key provides more control and flexibility over the encryption and decryption process, such as specifying key rotation policies, auditing key usage, and revoking key access. Moreover, using an AWS KMS AWS managed key may incur additional costs for Parameter Store, as it requires using Advanced Parameters instead of Standard Parameters.
- Option B is not a valid solution because it uses Amazon DynamoDB instead of AWS Secrets Manager or Parameter Store. Amazon DynamoDB is a service that provides fast and flexible NoSQL database for various applications. However, it is not designed for storing and managing secrets or configuration data. Using Amazon DynamoDB for this purpose may introduce complexity and overhead, such as encrypting and decrypting the data on the EC2 instances, managing the database schema and capacity, and ensuring high availability and durability.
- Option C is the best solution because it meets all the requirements with the least management overhead. AWS Secrets Manager is a service that provides secure and centralized management of secrets, such as passwords, API keys, and other sensitive information. It integrates seamlessly with AWS KMS to encrypt and decrypt the secrets using customer managed keys. It also allows adding resource-based policies to the secrets to grant cross-account access. Moreover, it simplifies the task of retrieving and using the secrets from EC2 instances by providing SDKs and CLI tools.
- Option D is not a valid solution because it uses Amazon S3 instead of AWS Secrets Manager or Parameter Store. Amazon S3 is a service that provides object storage for various use cases, such as hosting static websites, storing backups, or archiving data. However, it is not designed for storing and managing secrets or configuration data. Using Amazon S3 for this purpose may introduce complexity and overhead, such as encrypting and decrypting the data on the EC2 instances, managing the bucket policies and lifecycle rules, and ensuring data consistency and durability.
Therefore, option C is the best solution that meets these requirements with the least management overhead.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.