AWS Certified Security – Specialty — Question 152

A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in AWS Systems Manager Parameter
Store. When the application tries to access the secure string key value, it fails.
Which factors could be the cause of this failure? (Choose two.)

Answer options

• A. The EC2 instance role does not have decrypt permissions on the AWS Key Management Service (AWS KMS) key used to encrypt the secret.
• B. The EC2 instance role does not have read permissions to read the parameters in Parameter Store.
• C. Parameter Store does not have permission to use AWS Key Management Service (AWS KMS) to decrypt the parameter.
• D. The EC2 instance role does not have encrypt permissions on the AWS Key Management Service (AWS KMS) key associated with the secret.
• E. The EC2 instance does not have any tags associated.

Correct answer: A, B

Explanation

The correct answer is A and B because the EC2 instance role needs decrypt permissions on the KMS key to access the encrypted secure string and read permissions for Parameter Store to retrieve parameters. The other options are incorrect as they either pertain to permissions that are not necessary for reading the parameter or do not influence the ability to access the secure string.