-
Use IAM role for On Prem server
updated 3 years, 11 months ago
3 Members
·
6
Posts
-
Hello,
the following question of the Review Mode Set 2 – AWS Certified DevOps Engineer Professional test mentions :
A company is planning to launch its Node.js application to AWS to better serve its clients around the globe. A hybrid deployment is required to be implemented wherein the application will run on both on-premises application servers and On-Demand Amazon EC2 instances. The application instances require secure access to database credentials, which must be encrypted both at rest and in transit.
As a DevOps Engineer, how can you automate the deployment process of the application in the MOST secure manner?
The correct answer is :
Using AWS Systems Manager Parameter Store, upload and manage the database credentials with a Secure String data type. Create an IAM role with an attached policy that allows access and decryption of the database credentials. Associate this role to all the on-premises servers as well as the EC2 instances. Deploy the application packages to the EC2 instances and on-premises servers using AWS CodeDeploy.
My concern is about attaching a Role to an On Prem server. I think there’s no straightforward and definitive way to do it, and you have to go thru a register-on-premises-instance process which is temporary. As such, it would need an extra piece of code to be renewed.
what do you think ?
BR,
CB.
-
Another option is the register command, which will
– Create an IAM user in AWS Identity and Access Management for the on-premises instance, if you do not specify one with the command.
– Save the IAM user’s credentials to an on-premises instance configuration file.
– Register the on-premises instance with CodeDeploy.
– Add tags to the on-premises instance, if you specify them as part of the command.And then attach an IAM policy with the required permissions (e.g. assumerole).
But not that secure of course to have the credentials in a configuration file on the on-premise instance.
Cheers,
Robert -
Hello kung, yes, I fully agree with your option. But it’s definely not what is stated in the quizz.
“Associate this role to all the on-premises servers”
BR,
CB.
-
Hi Claude,
Thank you for posting your question. The “register-on-premises-instance” process is actually a CodeDeploy command and not for Systems Manager Parameter Store. For Hybrid environment, you have to install the Systems Manager (SSM) agent to your servers on-premises. Here are the steps:
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-linux.html
The Servers and virtual machines (VMs) in a hybrid environment require an IAM role to communicate with the Systems Manager service. The role grants AssumeRole trust to the Systems Manager service in order to call the SSM API. The steps are shown in this document:
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
-
Hi JB,
Perfectly clear now!
Thanks again for both explanations and provided links.
I had completely missed this topic.
Regards,
CB
-
You’re welcome Claude! We’re always here to help!
Log in to reply.