Learn how to use AWS services to store and retrieve an access token for a chat API on AWS. The access token must be encrypted and accessible from multiple accounts. Compare different solutions and find out which one has the least management overhead.
Table of Contents
Question
A company is implementing an application on Amazon EC2 instances. The application needs to process incoming transactions. When the application detects a transaction that is not valid, the application must send a chat message to the company’s support team. To send the message, the application needs to retrieve the access token to authenticate by using the chat API.
A developer needs to implement a solution to store the access token. The access token must be encrypted at rest and in transit. The access token must also be accessible from other AWS accounts.
Which solution will meet these requirements with the LEAST management overhead?
A. Use an AWS Systems Manager Parameter Store SecureString parameter that uses an AWS Key Management Service (AWS KMS) AWS managed key to store the access token. Add a resource-based policy to the parameter to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Parameter Store. Retrieve the token from Parameter Store with the decrypt flag enabled. Use the decrypted access token to send the message to the chat.
B. Encrypt the access token by using an AWS Key Management Service (AWS KMS) customer managed key. Store the access token in an Amazon DynamoDB table. Update the IAM role of the EC2 instances with permissions to access DynamoDB and AWS KMS. Retrieve the token from DynamoDDecrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the message to the chat.
C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
D. Encrypt the access token by using an AWS Key Management Service (AWS KMS) AWS managed key. Store the access token in an Amazon S3 bucket. Add a bucket policy to the S3 bucket to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Amazon S3 and AWS KMS. Retrieve the token from the S3 bucket. Decrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the massage to the chat.
Answer
C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
Explanation
The correct answer is C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. You can use Secrets Manager to store and manage sensitive information such as database credentials, API keys, and access tokens. Secrets Manager encrypts the secret values using AWS Key Management Service (AWS KMS) customer managed keys. You can also rotate, monitor, and audit your secrets using Secrets Manager.
To use Secrets Manager to store and retrieve the access token for the chat API, the developer can follow these steps:
- Create a secret in Secrets Manager and store the access token as the secret value. Choose an AWS KMS customer managed key to encrypt the secret value.
- Add a resource-based policy to the secret that grants permissions to other AWS accounts to access the secret. The policy should specify the principals (the other accounts or IAM roles) and the actions (such as GetSecretValue) that are allowed.
- Update the IAM role of the EC2 instances that run the application with permissions to access Secrets Manager and the AWS KMS customer managed key. The role should have a policy that allows actions such as GetSecretValue and Decrypt on the secret and the key.
- Retrieve the token from Secrets Manager by using the GetSecretValue API call or the AWS CLI get-secret-value command. The response will include the decrypted access token in plain text or in binary format depending on how it was stored.
- Use the decrypted access token to send the message to the chat API.
This solution will meet the requirements with the least management overhead because:
- It will encrypt the access token at rest and in transit using AWS KMS customer managed keys, which provide more control and flexibility than AWS managed keys.
- It will allow access from other AWS accounts by using resource-based policies, which are easier to manage than cross-account IAM roles or trust relationships.
- It will simplify the retrieval of the access token by using Secrets Manager, which provides a secure and convenient way to store and manage secrets.
Option A is incorrect because using an AWS Systems Manager Parameter Store SecureString parameter that uses an AWS KMS AWS managed key to store the access token will not meet the requirements. Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. You can use Parameter Store SecureString parameters to store encrypted values such as passwords or license codes. However, Parameter Store SecureString parameters have some limitations compared to Secrets Manager, such as:
- They use AWS KMS AWS managed keys by default, which have less control and flexibility than customer managed keys.
- They do not support resource-based policies, which means you have to use cross-account IAM roles or trust relationships to allow access from other accounts, which adds complexity and overhead.
- They do not support automatic rotation, monitoring, or auditing of secrets, which are important features for security and compliance.
Option B is incorrect because encrypting the access token by using an AWS KMS customer managed key and storing it in an Amazon DynamoDB table will not meet the requirements. DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. You can use DynamoDB to store any type of data, including encrypted values. However, DynamoDB has some drawbacks compared to Secrets Manager for storing secrets, such as:
- It does not provide built-in encryption at rest or in transit for your data. You have to encrypt and decrypt your data yourself by using AWS KMS or other methods, which adds complexity and overhead.
- It does not support resource-based policies, which means you have to use cross-account IAM roles or trust relationships to allow access from other accounts, which adds complexity and overhead.
- It does not support automatic rotation, monitoring, or auditing of secrets, which are important features for security and compliance.
Option D is incorrect because encrypting the access token by using an AWS KMS AWS managed key and storing it in an Amazon S3 bucket will not meet the requirements. Amazon S3 is a service that provides object storage through a web services interface. You can use Amazon S3 to store any type of data, including encrypted values. However, Amazon S3 has some disadvantages compared to Secrets Manager for storing secrets, such as:
- It uses AWS KMS AWS managed keys by default for server-side encryption, which have less control and flexibility than customer managed keys.
- It does not provide built-in encryption in transit for your data. You have to encrypt and decrypt your data yourself by using AWS KMS or other methods, which adds complexity and overhead.
- It does not support automatic rotation, monitoring, or auditing of secrets, which are important features for security and compliance.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.