AWS Certified Solutions Architect – Associate (SAA-C03) — Question 175

A solutions architect needs to securely store a database user name and password that an application uses to access an Amazon RDS DB instance. The application that accesses the database runs on an Amazon EC2 instance. The solutions architect wants to create a secure parameter in AWS Systems Manager Parameter Store.

What should the solutions architect do to meet this requirement?

Answer options

• A. Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance.
• B. Create an IAM policy that allows read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM policy to the EC2 instance.
• C. Create an IAM trust relationship between the Parameter Store parameter and the EC2 instance. Specify Amazon RDS as a principal in the trust policy.
• D. Create an IAM trust relationship between the DB instance and the EC2 instance. Specify Systems Manager as a principal in the trust policy.

Correct answer: A

Explanation

The correct answer is A because creating an IAM role with the necessary permissions allows the EC2 instance to securely access the Parameter Store. Option B is incorrect as it suggests using an IAM policy instead of a role, which is less secure for this use case. Options C and D are incorrect because they focus on trust relationships that do not directly grant the permissions needed to access the Parameter Store parameter.