A company is developing a new application on AWS. The application includes an Amazon ECS cluster, an Amazon S3 bucket that stores application assets, and an Amazon RDS for MySQL database that contains a sensitive dataset. The company wants to ensure that only the ECS cluster can access the RDS database and the S3 bucket. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a new AWS Key Management Service (AWS KMS) customer managed key to encrypt both the S3 bucket and the RDS for MySQL database. Ensure that the KMS key policy grants encrypt and decrypt permissions to the ECS task execution role..
Why this is the answer
The correct solution uses a customer managed key (CMK) in AWS KMS to encrypt both the S3 bucket and the RDS database. By granting the ECS task execution role kms:Encrypt and kms:Decrypt permissions in the CMK's key policy, you ensure that only the ECS cluster, acting under that role, can access the encrypted data in both services. This provides a centralized and robust access control mechanism tied to the encryption key. Incorrect options: Using an AWS managed key doesn't allow for custom key policies to restrict access to specific roles. S3 bucket policies control S3 access, not RDS access. Restricting S3 access via a bucket policy is good, but updating the RDS security group only controls network access, not necessarily data access based on identity. It doesn't address S3 encryption or unified access control. VPC endpoints control network access to services but do not inherently restrict data access based on identity or encryption keys. Security groups control network traffic, not data access permissions.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed