AWS Certified Data Engineer Associate DEA-C01 Practice Question
A data engineering team runs a Python ETL script on Amazon EC2 instances in a private subnet. The script must read objects from an S3 data lake and load the data into an Amazon Redshift cluster. Security policies forbid embedding any static access keys or passwords on the instances and require automatically rotated, short-lived credentials. Which authentication approach should the team use to meet these requirements with minimal operational overhead?
Attach an IAM role to the EC2 instance profile that grants access to Amazon S3 and Amazon Redshift, and let the script obtain temporary credentials from the instance metadata service.
Configure the script to connect to Amazon Redshift using a database username and password stored in AWS Systems Manager Parameter Store and grant the user SELECT and INSERT privileges.
Store an IAM user's access key and secret key in AWS Secrets Manager and retrieve them at runtime.
Generate X.509 client certificates for each EC2 instance and use certificate-based authentication when calling Amazon S3 and Amazon Redshift.
Using an IAM role attached to the EC2 instance profile provides temporary security credentials that are automatically rotated by AWS and delivered to the application through the instance metadata service. The SDK can retrieve these credentials without any hard-coded secrets, satisfying the requirement to avoid static passwords or access keys.
Retrieving long-lived IAM user keys from AWS Secrets Manager still requires managing and periodically rotating those keys, adding operational overhead. Storing a database username and password in Systems Manager Parameter Store protects the secret but still relies on static credentials and covers only Amazon Redshift, not S3. AWS does not support client X.509 certificate authentication for S3 or Amazon Redshift, so generating certificates would not meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the instance metadata service (IMDS)?
Open an interactive chat with Bash
What are the benefits of using IAM roles for EC2 instances?
Open an interactive chat with Bash
How does attaching an IAM role to an EC2 instance differ from using AWS Secrets Manager or Parameter Store?
Open an interactive chat with Bash
What is an IAM role, and how does it enable temporary credentials for EC2 instances?
Open an interactive chat with Bash
How does the instance metadata service work in providing temporary credentials?
Open an interactive chat with Bash
Why are IAM roles with temporary credentials preferred over static access keys?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .