AWS Certified Security – Specialty — Question 504

The Security Engineer is given the following requirements for an application that is running on Amazon EC2 and managed by using AWS CloudFormation templates with EC2 Auto Scaling groups:
-Have the EC2 instances bootstrapped to connect to a backend database.
-Ensure that the database credentials are handled securely.
-Ensure that retrievals of database credentials are logged.
Which of the following is the MOST efficient way to meet these requirements?

Answer options

• A. Pass databases credentials to EC2 by using CloudFormation stack parameters with the property set to true. Ensure that the instance is configured to log to Amazon CloudWatch Logs.
• B. Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.
• C. Create an AWS Lambda that ingests the database password and persists it to Amazon S3 with server-side encryption. Have the EC2 instances retrieve the S3 object on startup, and log all script invocations to syslog.
• D. Write a script that is passed in as UserData so that it is executed upon launch of the EC2 instance. Ensure that the instance is configured to log to Amazon CloudWatch Logs.

Correct answer: B

Explanation

Storing database credentials as SecureString parameters in AWS Systems Manager Parameter Store is the most secure and efficient method, as it natively integrates with IAM for access control and automatically logs all API calls (including credential retrieval) via AWS CloudTrail. Passing credentials through CloudFormation parameters (Option A) or UserData (Option D) exposes sensitive data in plaintext or configuration templates. Using AWS Lambda and Amazon S3 (Option C) adds unnecessary architectural complexity compared to using Parameter Store.