AWS Certified DevOps Engineer – Professional — Question 78

A large enterprise is deploying a web application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Oracle DB instance and Amazon DynamoDB. There are separate environments for development, testing, and production.

What is the MOST secure and flexible way to obtain password credentials during deployment?

Answer options

• A. Retrieve an access key from an AWS Systems Manager SecureString parameter to access AWS services. Retrieve the database credentials from a Systems Manager SecureString parameter.
• B. Launch the EC2 instances with an EC2 IAM role to access AWS services. Retrieve the database credentials from AWS Secrets Manager.
• C. Retrieve an access key from an AWS Systems Manager plaintext parameter to access AWS services. Retrieve the database credentials from a Systems Manager SecureString parameter.
• D. Launch the EC2 instances with an EC2 IAM role to access AWS services. Store the database passwords in an encrypted config file with the application artifacts.

Correct answer: B

Explanation

Option B is correct because using an EC2 IAM role allows the instances to securely access AWS services without hardcoding credentials, and AWS Secrets Manager provides a secure way to manage and retrieve database credentials. Options A and C use AWS Systems Manager parameters, but they do not offer the same level of security as Secrets Manager. Option D lacks the secure management of passwords provided by Secrets Manager, making it less flexible.