AWS Certified Solutions Architect – Professional — Question 412

A company's AWS architecture currently uses access keys and secret access keys stored on each instance to access AWS services. Database credentials are hard-coded on each instance. SSH keys for command-line remote access are stored in a secured Amazon S3 bucket. The company has asked its solutions architect to improve the security posture of the architecture without adding operational complexity.
Which combination of steps should the solutions architect take to accomplish this? (Choose three.)

Answer options

• A. Use Amazon EC2 instance profiles with an IAM role
• B. Use AWS Secrets Manager to store access keys and secret access keys
• C. Use AWS Systems Manager Parameter Store to store database credentials
• D. Use a secure fleet of Amazon EC2 bastion hosts for remote access
• E. Use AWS KMS to store database credentials
• F. Use AWS Systems Manager Session Manager for remote access

Correct answer: A, C, F

Explanation

Using Amazon EC2 instance profiles with IAM roles (A) eliminates the need for hardcoded AWS credentials on instances by providing temporary, automatically rotated credentials. AWS Systems Manager Parameter Store (C) offers a secure and low-complexity way to centralize and retrieve database credentials without hardcoding them. Finally, AWS Systems Manager Session Manager (F) allows secure remote access to instances without the overhead of managing SSH keys, bastion hosts, or open inbound ports.