Learn how to securely store and retrieve different types of variables for your Amazon ECS application using AWS Secrets Manager. This tutorial will show you how to create and manage secrets, and how to access them from your application with minimal code changes.
Table of Contents
Question
A developer is deploying a new application to Amazon Elastic Container Service (Amazon ECS). The developer needs to securely store and retrieve different types of variables. These variables include authentication information for a remote API, the URL for the API, and credentials. The authentication information and API URL must be available to all current and future deployed versions of the application across development, testing, and production environments.
How should the developer retrieve the variables with the FEWEST application changes?
A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment.
B. Update the application to retrieve the variables from AWS Key Management Service (AWS KMS). Store the API URL and credentials as unique keys for each environment.
C. Update the application to retrieve the variables from an encrypted file that is stored with the application. Store the API URL and credentials in unique files for each environment.
D. Update the application to retrieve the variables from each of the deployed environments. Define the authentication information and API URL in the ECS task definition as unique names during the deployment process.
Answer
A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment.
Explanation
The correct answer is A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment. This answer is based on the following reasons:
- AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. It allows you to store different types of variables, such as plain text or encrypted strings, and reference them by using a unique name or path. You can use Parameter Store to store and retrieve authentication information and API URL for your application across different environments, such as development, testing, and production. You can use unique paths in Parameter Store to organize your parameters by hierarchy and control access to them based on the path level. For example, you can use the following paths to store your parameters:
- /dev/api/auth
- /dev/api/url
- /test/api/auth
- /test/api/url
- /prod/api/auth
- /prod/api/url
- AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. You can use Secrets Manager to store and retrieve credentials for your application across different environments, such as development, testing, and production. You can use unique names or tags in Secrets Manager to identify your secrets by environment. For example, you can use the following names or tags to store your secrets:
- dev-credentials
- test-credentials
- prod-credentials
- To retrieve the variables from Parameter Store and Secrets Manager, you need to update your application code to use the AWS SDK or CLI commands . You also need to grant your ECS task role the necessary permissions to access the parameters and secrets . This approach requires minimal application changes and provides a secure and scalable way to manage your configuration data and secrets.
The other options are not correct because:
- Option B: Update the application to retrieve the variables from AWS Key Management Service (AWS KMS). Store the API URL and credentials as unique keys for each environment is not a valid option. AWS KMS is a service that enables you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. It is not designed to store and retrieve variables such as API URL and credentials. You can use AWS KMS to encrypt and decrypt data, but you still need a storage service such as Parameter Store or Secrets Manager to store the encrypted data.
- Option C: Update the application to retrieve the variables from an encrypted file that is stored with the application. Store the API URL and credentials in unique files for each environment is not a recommended option. Storing variables in an encrypted file with the application introduces security risks and operational overhead. You need to manage the encryption keys and ensure they are securely stored and rotated. You also need to update the file every time you change a variable or deploy a new version of the application. This approach increases the complexity and reduces the portability of your application.
- Option D: Update the application to retrieve the variables from each of the deployed environments. Define the authentication information and API URL in the ECS task definition as unique names during the deployment process is not a best practice option. Storing variables in the ECS task definition exposes them to anyone who can view or modify the task definition. It also makes it difficult to manage and update the variables across different environments. You need to create separate task definitions for each environment and update them every time you change a variable or deploy a new version of the application. This approach reduces the security and scalability of your application.
Therefore, option A is the best answer for this question. I hope this explanation helps you understand how to securely store and retrieve different types of variables for your ECS application better.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
