To enable a three-tier web application deployment on Amazon EC2 instances with access to Amazon RDS DB instance and AWS Lambda functions, the security engineer needs to store the database credentials securely and ensure that only authorized instances and functions can access them. Additionally, they must track access to the credentials.
Option A and B recommend storing the database credentials in AWS Key Management Service (KMS) and creating an IAM role with access to KMS for both EC2 instances and Lambda functions. The role is added to an instance profile, which is attached to EC2 instances. Option B goes further to suggest attaching the same instance profile to the Lambda function. Both options allow for tracking access to the credentials by configuring KMS access logs.
Option C and D recommend storing the database credentials in AWS Secrets Manager and creating an IAM role with access to Secrets Manager for both EC2 instances and Lambda functions. The role is added to an instance profile, which is attached to EC2 instances. Option D suggests setting up Lambda to use the new role for execution. Both options allow for tracking access to the credentials by configuring Secrets Manager access logs.
Therefore, options A, B, C, and D provide solutions that meet the requirements. However, options A and B use AWS KMS, while options C and D use AWS Secrets Manager for storing the credentials. The final choice depends on other factors such as the application's complexity, security posture, and cost considerations.
Read more>> aws certified specialty exam