Which of the following configurations will support these requirements?

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customers security policy requires that every outbound connection from these instances to any other
service within the customers
Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instanceid.
In addition an x 509 certificates must Designed by the customer’s Key management service in order to be
trusted for authentication.
Which of the following configurations will support these requirements?

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customers security policy requires that every outbound connection from these instances to any other
service within the customers
Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instanceid.
In addition an x 509 certificates must Designed by the customer’s Key management service in order to be
trusted for authentication.
Which of the following configurations will support these requirements?

A.
Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and
configure me Auto Scaling group to launch instances with this role Have the instances bootstrap get the
certificate from Amazon S3 upon first boot.

B.
Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the
launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key
management service for signature.

C.
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted
key management service. Have the Key management service generate a signed certificate and send it directly
to the newly launched instance.

D.
Configure the launched instances to generate a new certificate upon first boot Have the Key management
service poll the AutoScaling group for associated instances and send new instances a certificate signature (hat
contains the specific instance-id.



Leave a Reply 9

Your email address will not be published. Required fields are marked *


KwagongMakisig

KwagongMakisig

B I this is the most sensible implementation

muthu

muthu

In A key management service is used?

muthu

muthu

D seems to be correct answer .

Srinivasu Muchcherla

Srinivasu Muchcherla

A is the Right Answer

swagata mondal

swagata mondal

D- because unique x 509 certificate that contains the specific instanceid

Megatron

Megatron

C is the right answer and here’s why:

The certificate must be signed by the customers key management service and this is the only option. Using S3 wont have it unique, embedding in AMI wont make it unique, Generating a new certificate by itself would defeat the requirement of getting it signed by customers key management service.

A – Accessing from S3 was fine but how can the file be unique when every time autoscaling generates different instances and instance-id.. Thats not predictable
B – Embedding a certificate in AMI cannot make the certificate unique.
D – As the EC2 instances must generate unique X.509 certificate and this must be specific to the instance id. The EC2 instance can generate the certificate itself BUT it is clearly mentioned that the certificate must be signed by the customers key management service and not self signed.

mutiger91

mutiger91

Is this question mixing up the IAM KMS with the Certificate Mananger

“Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. ”

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html