A solutions architect needs to securely store a database user name and password in AWS Systems Manager Parameter Store for an application running on an Amazon EC2 instance. What should the solutions architect do to create a secure parameter and allow the EC2 instance to access it?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance..
Why this is the answer
The correct approach is to use an IAM role. An IAM role can be attached to an EC2 instance, granting it the necessary permissions without embedding credentials directly into the instance. This role should have permissions to read the Parameter Store parameter (e.g., ssm:GetParameter) and, crucially, kms:Decrypt permissions for the KMS key used to encrypt the secure string parameter. This ensures the EC2 instance can retrieve and decrypt the sensitive data. Incorrect options: Attaching an IAM policy directly to an EC2 instance is not the standard or recommended practice; IAM roles are designed for this purpose. IAM trust relationships are used to define who can assume a role, not for direct resource-to-resource access in this manner. Specifying Amazon RDS as a principal is irrelevant for EC2 instance access to Parameter Store. An IAM trust relationship between a DB instance and an EC2 instance, with Systems Manager as a principal, is an incorrect application of trust policies and does not address the Parameter Store access requirement.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed