AWS Certified SysOps Administrator – Associate (legacy) — Question 484
A web application runs on Amazon EC2 instances and accesses external services. The external services require authentication credentials. The application is deployed using AWS CloudFormation to three separate environments: development, test, and production. Each environment requires unique credentials for external services.
What option securely provides the application with the needed credentials while requiring MINIMAL administrative overhead?
Answer options
- A. Pass the credentials for the target environment to the CloudFormation template as parameters. Use the user data script to insert the parameterized credentials into the EC2 instances.
- B. Store the credentials as secure strings in AWS Systems Manager Parameter Store. Pass an environment tag as a parameter to the CloudFormation template. Use the user data script to insert the environment tag in the EC2 instances. Access the credentials from the application.
- C. Create a separate CloudFormation template for each environment. In the Resources section, include a user data script for each EC2 instance. Use the user data script to insert the proper credentials for the environment into the EC2 instances.
- D. Create separate Amazon Machine Images (AMIs) with the required credentials for each environment. Pass the environment tag as a parameter to the CloudFormation template. In the Mappings section of the CloudFormation template, map the environment tag to the proper AMI, then use that AMI when launching the EC2 instances.
Correct answer: A
Explanation
Passing credentials directly as parameters into a single CloudFormation template and using user data to inject them (Option A) minimizes administrative overhead because it avoids the complexity of managing multiple templates or custom AMIs. While using Systems Manager Parameter Store (Option B) is a highly secure practice, it introduces additional application-level integration and configuration overhead. Maintaining separate templates (Option C) or unique AMIs (Option D) significantly increases the operational burden of template updates and image lifecycle management.