An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web
tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation
template which of the following would allow the application instance access to the DynamoDB tables without
exposing API credentials?
A.
Create an Identity and Access Management Role that has the required permissions to read and write from
the required DynamoDB table and associate the Role to the application instances by referencing an
instance profile.
B.
Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys
from an already created IAM user that has me permissions required to read and write from the required
DynamoDB table.
C.
Create an Identity and Access Management Role that has the required permissions to read and write from
the required DynamoDB table and reference the Role in the instance profile property of the application
instance.
D.
Create an identity and Access Management user in the CloudFormation template that has permissions to
read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret
keys and pass them to the application instance through user-data.
https://acloud.guru/forums/aws-certified-solutions-architect-associate/discussion/-KLhCTRGxa1NXxkvhJ5U/which-of-the-following-would-allow-the-application-instance-access-to-the-dynamo?answer=-KLjyPcM2J6AmPXZhBqw
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#w2ab2c21c10d624c11
A is clearly the answer here. I’m assuming this is another Professional level question. Out of scope for Associate.
A should be the answer
B – using parameter
C – using property
D – using user-data
BCD are bad way of handling credentials.