Topic 1 Question 131
A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts.
In an AWS application account, the company’s application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed m the application account.
The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets.
Which solution will meet these requirements?
Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the shared secrets. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets
In the DBA account create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: B
Follow below link. It has both option to be used for this scenarios. But default kms key can not be used so B https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/
👍 6bititan2023/02/23 - 正解だと思う選択肢: C
You must use the full AWS KMS key ARN to access a secret from another AWS account. https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/
👍 4Signup_Nickname2023/02/06 - 正解だと思う選択肢: B
I voted for B, because: SCPs are a type of policy that is used to set fine-grained permissions at the root level of an AWS organization. Using SCPs in this scenario could result in overly permissive access, which may not meet the organization's security and compliance requirements. Additionally, using SCPs to manage access to the secrets could make it more difficult to track who has access to the secrets, as SCPs are applied at the organization level and may not be tied to specific IAM roles or users. Option B provides a more secure and controlled solution, as it uses cross-account role assumption and IAM roles to manage access to the secrets, which is a more secure and controlled way to manage access to AWS resources in a multi-account environment.
👍 3tatdatpham2023/02/01
シャッフルモード