Skip to Content

SAP-C02: Automating EC2 Key Pair Rotation with AWS Secrets Manager

By: Author Alex Lim

Posted on

Categories Exam

Learn how to implement a key rotation policy for Linux-based Amazon EC2 instances using AWS Secrets Manager to automatically rotate EC2 key pairs and keep them in a securely encrypted place with minimal downtime.

Table of Contents

Question

A company has Linux-based Amazon EC2 instances. Users must access the instances by using SSH with EC2 SSH key pairs. Each machine requires a unique EC2 key pair.

The company wants to implement a key rotation policy that will, upon request, automatically rotate all the EC2 key pairs and keep the keys in a securely encrypted place. The company will accept less than 1 minute of downtime during key rotation.

Which solution will meet these requirements?

A. Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Secrets Manager.
B. Store all the keys in Parameter Store, a capability of AWS Systems Manager, as a string. Define a Systems Manager maintenance window to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Parameter Store.
C. Import the EC2 key pairs into AWS Key Management Service (AWS KMS). Configure automatic key rotation for these key pairs. Create an Amazon EventBridge scheduled rule to invoke an AWS Lambda function to initiate the key rotation in AWS KMS.
D. Add all the EC2 instances to Fleet Manager, a capability of AWS Systems Manager. Define a Systems Manager maintenance window to issue a Systems Manager Run Command document to generate new key pairs and to rotate public keys to all the instances in Fleet Manager.

Answer

A. Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Secrets Manager.

Explanation

  • Secrets Manager supports rotation of secrets, including EC2 key pairs, and can be configured to automatically rotate them based on a schedule.
  • Secrets Manager can invoke a Lambda function to generate new key pairs and update the Secrets Manager secrets with the new public and private keys.
  • The Lambda function can replace the public keys on the EC2 instances and update the Secrets Manager secrets with the new private keys.
  • Secrets Manager encrypts the secrets at rest and in transit, providing a secure solution for storing and managing the EC2 key pairs.
  • The rotation process can be configured to cause minimal downtime, less than 1 minute, by temporarily allowing overlapping time windows for the old and new key pairs.

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.