AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company operates a multi-account AWS environment that is governed by AWS Organizations. All application secrets are stored in the security account (Account A) by using AWS Secrets Manager in the us-east-1 Region. An Amazon ECS service that runs in the production account (Account B) must retrieve the secret named Prod/DatabaseCredentials when tasks start. Requirements are:
The secret must remain encrypted at rest with AWS KMS.
The implementation must apply the principle of least privilege while allowing Account A to retain full administrative control of the secret.
Ongoing operational effort should be kept to a minimum.
Which approach satisfies these requirements?
Encrypt the secret with a customer managed KMS key in Account A, update the key policy to allow the ECS task role in Account B to decrypt, attach a resource-based policy on the secret granting secretsmanager:GetSecretValue to that role, and add an identity-based policy that allows secretsmanager:GetSecretValue and kms:Decrypt.
Export the secret to an encrypted advanced parameter in AWS Systems Manager Parameter Store and reference the parameter as an environment variable in the ECS task definition.
Encrypt the secret with the AWS managed key aws/secretsmanager, attach a resource-based policy that grants secretsmanager:GetSecretValue to the ECS task role in Account B, and add an identity-based policy in Account B that allows secretsmanager:GetSecretValue.
Configure Secrets Manager to replicate the secret to a new copy in Account B and grant the ECS task role secretsmanager:GetSecretValue permission on the replica.
The only compliant solution is to encrypt the secret with a customer managed KMS key that resides in the security account, attach a resource-based policy to the secret that grants secretsmanager:GetSecretValue to the ECS task role in the production account, and update the KMS key policy as well as the task role's identity-based policy so that the role can call kms:Decrypt on the key. Secrets Manager automatically handles encryption and does not require additional maintenance, so operational overhead is low.
A design that relies on the AWS-managed key (aws/secretsmanager) fails because that key cannot be used for cross-account access. Replicating the secret to another account is not supported-replication works only across Regions within the same account-so that alternative does not meet the requirements. Exporting the value to Systems Manager Parameter Store introduces a separate service that does not provide native rotation and removes control from the security account, violating both the least-privilege and administrative-control requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of a customer managed KMS key in cross-account access?
Open an interactive chat with Bash
Why can't the AWS-managed key aws/secretsmanager be used for cross-account access?
Open an interactive chat with Bash
What is the importance of both a resource-based policy and an identity-based policy in this solution?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access