Home › Forums › AWS › AWS Certified Security – Specialty › Clarification on a question / answer on a practice test
-
Clarification on a question / answer on a practice test
Carlo-TutorialsDojo updated 3 years, 5 months ago 2 Members · 2 Posts -
For the question below –
A company wants to launch a multitier web application in which the application servers are hosted on Amazon EC2 instances behind an Application Load Balancer. These EC2 instances require access to credentials that they will use to authenticate their SQL connections to an Amazon RDS database. The application is also using several AWS Lambda functions to issue queries to the database using the same database credentials. The Security Engineer is instructed to store the credentials so that both EC2 instances and the Lambda functions can access them. For audit purposes, access logs must also be recorded to track when the credentials were accessed and by whom.
What should the Engineer do to satisfy the above requirements?
the answer was to create a role that provided access to the SSM for the EC2 and lambda function in the “trust policy” of the role. Thought that was the only answer that made sense and I got it right – I am still confused why I would add these permissions in the trust policy rather than the execution role of the lambda function and the general permissions for the EC2 instance. Could someone please help?
thanks in advance.
-
Hello sukhjit,
Thanks for posting your question.
An IAM Role requires two policies: Trust policy and Permissions policy.
The Trust Policy define the principals that you trust to assume the role. It can be an AWS service or an AWS account. In other words, it decides who can assume the role. The Permissions Policy define what actions and resources the role can use.
Let me know if this answers your question.
Regards,
Carlo @ Tutorials Dojo
- This reply was modified 3 years, 5 months ago by Carlo-TutorialsDojo.
Log in to reply.