Question #1198
A solutions architect needs to securely store an API key for a third-party service that an application uses to interact with an external API. The application runs on an Amazon EC2 instance. The solutions architect wants to store the API key securely using AWS Systems Manager Parameter Store.
What should the solutions architect do to meet this requirement?
Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance.
Create an IAM policy that allows read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM policy to the EC2 instance.
Create an IAM trust relationship between the Parameter Store parameter and the EC2 instance. Specify the third-party service as a principal in the trust policy.
Create an IAM trust relationship between the external API and the EC2 instance. Specify Systems Manager as a principal in the trust policy.
Explanation
Answer A is correct because:
1. IAM Roles for EC2: EC2 instances use IAM roles (not policies directly) to grant permissions. The role must include permissions for ssm:GetParameter (to read the parameter) and kms:Decrypt (to decrypt the KMS-encrypted parameter).
2. Secure Storage: Parameter Store's SecureString type encrypts the API key using KMS, requiring decryption permissions.
Why other options are incorrect:
- B: IAM policies cannot be directly assigned to EC2 instances; they must be attached to roles.
- C/D: Trust relationships define which entities can assume a role. Parameter Store parameters and external APIs do not assume roles, making these options invalid.
Key Points:
- Use IAM roles (not policies) for EC2 permissions.
- Parameter Store + KMS ensures secure storage and access control.
- EC2 instances require ssm:GetParameter and kms:Decrypt permissions.
Answer
The correct answer is: A