You want to securely distribute credentials for your Amazon RDS instance to your fleet of web server instances. The
credentials are stored in a file that is controlled by a configuration management system. How do you securely deploy the
credentials in an automated manner across the fleet of web server instances, which can number in the hundreds, while
retaining the ability to roll back if needed?
A.
Store your credential files in an Amazon S3 bucket.
Use Amazon S3 server-side encryption on the credential files.
Have a scheduled job that pulls down the credential files into the instances every 10 minutes.
B.
Store the credential files in your version-controlled repository with the rest of your code.
Have a post-commit action in version control that kicks off a job in your continuous integration system which securely copses the new
credential files to all web server instances.
C.
Insert credential files into user data and use an instance lifecycle policy to periodically refresh the file from the user data.
D.
Keep credential files as a binary blob in an Amazon RDS MySQL DB instance, and have a script on each Amazon EC2 instance that
pulls the files down from the RDS instance.
E.
Store the credential files in your version-controlled repository with the rest of your code.
Use a parallel file copy program to send the credential files from your local machine to the Amazon EC2 instances.
I would say A.
D cannot be correct. This is a file containing credentials for the RDS instance. How can you retrieve the credentials which give you access to the RDS instance from the RDS instance itself?! Remember, you need the credentials to access the RDS, i.e. you need the credentials to get the credentials. Not possible!
Why not option ‘B’?
Why A? Does “10 minutes” have any difference from 5 minutes or 1 minute?
Why not option ‘B’?
C, D, E is wrong.
I think A is better than B.
A. Can use Versioning of S3. Secure server-side encrypt. Pull every 10 minutes by them self.
B. You must use some external tool to trigger pass new configuration to EC2 instance. It is not what AWS want their customer do
None of the given options is appropriate other than A. Although A, too, is not perfect because it fetches credentials every 10 mints.
But we gotta choose 1 options so I would go with A.
Agree. None of these are good. I would hope there is a KMS option. A is the fallback answer.
D is wrong.
B makes most sense.
B is wrong, VC don’t have strong access/security/encryption policies
A
https://aws.amazon.com/blogs/security/using-iam-roles-to-distribute-non-aws-credentials-to-your-ec2-instances/
B is wrong. If you store credentials in GitHub, AWS will shut down your account. Try it.
who says D is wrong ?
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
@onur .. Seems you want to say D is the correct answer because of the link that you provided ? If so, please check that link you will find out a limitation of this feature (max 20 connections to db/seconds ) while the question affirms that “the fleet of web server instances, which can number in the hundreds”
@onur .. Seems you want to say D is the correct answer because of the link that you provided ? If so, please check that link you will find out a limitation of this feature (max 20 connections to db/seconds ) while the question affirms that “the fleet of web server instances, which can number in the hundreds”
Agree.
Answer is A.
A. is the correct answer