AWS Certified Solutions Architect – Associate (SAA-C02) — Question 288

A development team stores its Amazon RDS MySQL DB instance user name and password credentials in a configuration file. The configuration file is stored as plaintext on the root device volume of the team's Amazon EC2 instance. When the team's application needs to reach the database, it reads the file and loads the credentials into the code. The team has modified the permissions of the configuration file so that only the application can read its content. A solutions architect must design a more secure solution.
What should the solutions architect do to meet this requirement?

Answer options

• A. Store the configuration file in Amazon S3. Grant the application access to read the configuration file.
• B. Create an IAM role with permission to access the database. Attach this IAM role to the EC2 instance.
• C. Enable SSL connections on the database instance. Alter the database user to require SSL when logging in.
• D. Move the configuration file to an EC2 instance store, and create an Amazon Machine Image (AMI) of the instance. Launch new instances from this AMI.

Correct answer: B

Explanation

Utilizing an IAM role attached to the EC2 instance allows the application to securely access the Amazon RDS database without hardcoding or storing plaintext credentials in configuration files. While options like storing files in Amazon S3 or instance stores still leave credentials exposed in plaintext, using IAM roles leverages AWS's native temporary credentialing. Enabling SSL encrypts transit data but does not address the underlying security risk of storing credentials in plaintext on the host.