Which of the following configurations will support thes…

An AWS customer is deploying an application that is composed of an AutoScaling group of EC2
instances.
The customers security policy requires that every outbound connection from these instances to
any other service within the customers Virtual Private Cloud must be authenticated using a
unique X.509 certificate that contains the specific Instance-id.
In addition, all X.509 certificates must be signed by the customer’s key management service in
order to be trusted for authentication.
Which of the following configurations will support these requirements:

An AWS customer is deploying an application that is composed of an AutoScaling group of EC2
instances.
The customers security policy requires that every outbound connection from these instances to
any other service within the customers Virtual Private Cloud must be authenticated using a
unique X.509 certificate that contains the specific Instance-id.
In addition, all X.509 certificates must be signed by the customer’s key management service in
order to be trusted for authentication.
Which of the following configurations will support these requirements:

A.
Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate
and configure the Auto Scaling group to launch instances with this role.
Have the instances bootstrap get the certificate from Amazon S3 upon first boot.

B.
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to
the trusted key management service. Have the key management service generate a signed
certificate and send it directly to the newly launched instance.

C.
Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have
the launched instances generate a certificate signature request with the Instance’s assigned
instance-id to the key management service for signature.

D.
Configure the launched instances to generate a new certificate upon first boot. Have the key
management service poll the AutoScaling group for associated instances and send new instances
a certificate signature that contains the specific Instance-id.



Leave a Reply 5

Your email address will not be published. Required fields are marked *


Luyong

Luyong

There is a problem for answer A. Every instance requires a certificate which should include the intance-id. But if every new launched instance gets the certificate from S3 all of them will get the same certificate which doesnot include their own instance-id.

I have no idea about the answer. Maybe C! Because in B and D, it requires the KMS to send the certificate to new launghed intances. KMS cannot do that.

Sumit Kumar

Sumit Kumar

I think B will be the right choice. May be they are referring to a custom Key Management Service, not AWS KMS.

leonli

leonli

tend to agree with B. The sns notification contains the specific instance-id