Which of the following configurations will support thes…

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customers security policy requires that every outbound connection from these instances to any other
service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that
contains the specific instance-id.
In addition an x 509 certificates must Designed by the customer’s Key management service in order to be
trusted for authentication.
Which of the following configurations will support these requirements?

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customers security policy requires that every outbound connection from these instances to any other
service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that
contains the specific instance-id.
In addition an x 509 certificates must Designed by the customer’s Key management service in order to be
trusted for authentication.
Which of the following configurations will support these requirements?

A.
Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and
configure me Auto Scaling group to launch instances with this role Have the instances bootstrap get thecertificate from Amazon S3 upon first boot.

B.
Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the
launched instances generate a certificate signature request with the instance’s assigned instance-id to the
Key management service for signature.

C.
Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted
key management service. Have the Key management service generate a signed certificate and send it
directly to the newly launched instance.

D.
Configure the launched instances to generate a new certificate upon first boot Have the Key management
service poll the Auto Scaling group for associated instances and send new instances a certificate signature
(hat contains the specific instance-id.



Leave a Reply 6

Your email address will not be published. Required fields are marked *


Shinobi

Shinobi

Sorry, but C is the only right answer.

Bao Nguyen Van

Bao Nguyen Van

C is right answer

Nick Doyle

Nick Doyle

You’ll need to do C since certs must be generated with the instance IDs …

Anonymous

Anonymous

It can’t possibly be C. I have read thru the entire KMS documentation and nowhere is any capability listed about generating certificates or signing certificates. It is the Key Management Service and it manages keys. It seems to me that the information is incomplete and there really is no correct answer. Also I didn’t find any API calls in KMS related to signing certificates (certificate signature request), so it rules out B, C, D. A seems to be the only answer left and it is a shitty way to pick the right answer when you can see an obvious flaw in it.