AWS Certified Data Engineer Associate DEA-C01 Practice Question
A data engineering team runs AWS Glue Python shell jobs inside private subnets of a VPC that has no route to the internet. Each job must retrieve the target Amazon Redshift user password that is stored as an AWS Secrets Manager secret. According to AWS security best practices, how should the team configure authentication so the jobs can retrieve the secret without violating the principle of least privilege?
Attach an IAM role to each Glue job that allows only secretsmanager:GetSecretValue on the specific secret, and create an interface VPC endpoint for Secrets Manager so the job uses temporary role credentials inside the VPC.
Attach the AWS managed policy SecretsManagerReadWrite to the default AWSGlueServiceRole and use a NAT gateway so the subnet can reach Secrets Manager over the internet.
Encrypt the password with a customer-managed KMS key and pass it as an encrypted job parameter; the job decrypts it with the key at runtime.
Create an IAM user with long-lived access keys that can retrieve the secret and store the keys in the job's connection properties.
The recommended approach is to rely on role-based authentication and keep all traffic inside the VPC. By attaching an IAM role to each Glue job that grants only secretsmanager:GetSecretValue permission on the specific secret, the job receives temporary credentials automatically. Creating an interface VPC endpoint for Secrets Manager lets the jobs call the service without traversing the public internet. This satisfies the least-privilege principle and the requirement to avoid outbound internet access.
Passing the secret as an encrypted parameter still exposes secret material and bypasses Secrets Manager. Granting the broad SecretsManagerReadWrite managed policy plus a NAT gateway would work but violates least privilege and the no-internet rule. Storing long-lived access keys in connection properties contravenes IAM best practices and introduces credential-rotation complications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an interface VPC endpoint in AWS?
Open an interactive chat with Bash
What is the principle of least privilege and how does it apply to IAM roles?
Open an interactive chat with Bash
Why are long-lived access keys considered insecure in AWS?
Open an interactive chat with Bash
What is an interface VPC endpoint in AWS?
Open an interactive chat with Bash
What is the principle of least privilege in AWS?
Open an interactive chat with Bash
What are the benefits of using temporary credentials in AWS IAM roles?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .