Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Question regarding attaching IAM Role to On-Prem Server Reply To: Question regarding attaching IAM Role to On-Prem Server

  • Jon-Bonso

    Administrator
    May 13, 2020 at 8:40 am

    Hi Oren,

    The scenario says:

    An organization is planning to launch its web application with an Amazon RDS MariaDB database to serve its clients worldwide. The application will run on both on-premises servers as well as Reserved EC2 instances. The database credentials must be encrypted both at rest and in transit. Their Security Engineer is tasked to manage all of the security aspects of the application architecture.

    How should the Engineer automate the deployment process of the application in the MOST secure manner?

    The provided answer is:

    Use AWS Systems Manager Parameter Store and upload the database credentials with a Secure String data type. Prepare a new IAM role with an attached policy that enables access and decryption of the database credentials then attach this role to all on-premises servers and EC2 instances. Deploy the application packages to the EC2 instances and on-premises servers using AWS CodeDeploy.

    On-premises servers and virtual machines (VMs) in a hybrid environment require an IAM role to communicate with the Systems Manager service. You can use the attach-role-policy CLI command to attach the specified managed policy to the specified IAM role. This is the role that will be used/assumed by the on-premises server, which is also known as “Managed Instance” in AWS Systems Manager terminology:

    https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html

    You also need to create a managed-instance activation in SSM in order to set up servers and virtual machines (VMs) in your hybrid environment as managed instances:

    https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-managed-instance-activation.html

    If you are using CodeDeploy, you can also set up an IAM Role that an On-Premises Server can assume: https://docs.aws.amazon.com/codedeploy/latest/userguide/register-on-premises-instance-iam-session-arn.html

    The actual AWS Security Specialty exam is quite concise and less wordy. This is the rationale as to why we didn’t expound the provided answer in this scenario.

    Regards,

    Jon Bonso @Tutorials Dojo