SAP-C02 Question #842: Real Exam Question with Answer & Explanation

Question

A company uses AWS Organizations for a multi-account setup. The company uses AWS Transit Gateway for cross-account VPC connectivity. An application deployed in an AWS application account uses Amazon RDS. The company's database administrators manage databases from a separate DBA account. The database administrators access the RDS database through an Amazon EC2 instance provisioned in the DBA account. The default AWS managed key encrypts database credentials that are stored in AWS Secrets Manager in the application account. The application team manually shares the secrets with the database administrators. The company needs a solution to grant database administrators access to the RDS database without sharing any secrets. Which solution will meet these requirements?

Options

• AIn the application account, create an IAM role with the required permissions to access the secrets
• BIn the DBA account, create an IAM role with the required permissions to access the secrets and
• CIn the DBA account, create an IAM role with the required permissions to access the secrets in the
• DUse AWS Resource Access Manager (AWS RAM) to share the secrets from the application

Explanation

You can’t change the key policy on the default AWS managed KMS key, so you can’t grant the DBA account direct decrypt permissions. Instead, create an IAM role in the application account that can read the secret (and thus use the key). Add a trust policy to let principals from the DBA account assume that role. The DBA EC2 instance assumes this cross-account role to retrieve the secret - no sharing or copying of secrets needed.

No community discussion yet for this question.