DOP-C02 · Question #123
DOP-C02 Question #123: Real Exam Question with Answer & Explanation
The correct answer is B: Launch the EC2 instances with an EC2 IAM role to access AWS services. Retrieve the database. Explanation Option B is correct because using an EC2 IAM role eliminates the need to manage long-term static credentials entirely - the role provides temporary, automatically rotated credentials for accessing AWS services. For database passwords, retrieving them from AWS Systems
Question
A large enterprise is deploying a web application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS for Oracle DB instance and Amazon DynamoDB. There are separate environments for development, testing, and production. What is the MOST secure and flexible way to obtain password credentials during deployment?
Options
- ARetrieve an access key from an AWS Systems Manager SecureString parameter to access AWS
- BLaunch the EC2 instances with an EC2 IAM role to access AWS services. Retrieve the database
- CRetrieve an access key from an AWS Systems Manager plaintext parameter to access AWS services.
- DLaunch the EC2 instances with an EC2 IAM role to access AWS services. Store the database
Explanation
Explanation
Option B is correct because using an EC2 IAM role eliminates the need to manage long-term static credentials entirely - the role provides temporary, automatically rotated credentials for accessing AWS services. For database passwords, retrieving them from AWS Systems Manager Parameter Store (specifically as SecureString, encrypted with KMS) during deployment is both secure and flexible across multiple environments (dev/test/prod) without hardcoding secrets anywhere.
Why the distractors are wrong:
- Option A is wrong because it suggests retrieving an access key from a SecureString parameter - access keys are static, long-term credentials that are considered insecure and should never be used when IAM roles are available.
- Option C is wrong for two reasons: it uses access keys (same issue as A), and it stores credentials in plaintext parameters, which provides no encryption protection.
- Option D is partially correct (IAM role is good) but implies storing database credentials insecurely rather than retrieving them from a properly secured source like Parameter Store with encryption.
💡 Memory Tip: Think "Roles over Keys, Encrypted over Plain" - always prefer IAM roles over access keys for EC2, and always use encrypted (SecureString) Parameter Store entries over plaintext when handling sensitive credentials like passwords.
Topics
Community Discussion
No community discussion yet for this question.