AWS Certified Security - Specialty: Accessing Secrets from SSM Parameter Store via API | Exam Question

Accessing Secrets from SSM Parameter Store via API

Prev Question Next Question

Question

An application running on EC2 instances must use a username and password to access a database.

The developer has stored those secrets in the SSM Parameter Store with type SecureString using the customer-managed KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below.

Answers

A. Add the EC2 instance role as a trusted service to the SSM service role.

B. Add permission to use the KMS key to decrypt to the SSM service role.

C. Add permission to read the SSM parameter to the EC2 instance role.

D. Add the kms:Decrypt permission in the EC2 instance role so that the EC2 instances can use the KMS key.

E. Add the SSM service role as a trusted service to the EC2 instance role.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: C and D.

Option A is incorrect because an EC2 service role can be attached to the EC2 service instead of SSM.

Option B is incorrect because it is the EC2 instance instead of the SSM service role that requires access to encrypt and decrypt.

Option C is CORRECT because the EC2 instance role needs permission to read the SSM parameter.

Option D is CORRECT because the EC2 instance role needs to have permission to use the KMS key to decrypt so that the application can get the secrets via the API.

Option E is incorrect because the EC2 instance role does not need to trust the SSM service.

The below example policy from the AWS Documentation is required to be given to the EC2 Instance to read a secure string from AWS KMS.

Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ssm:GetParameter*"

"Resource": "arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*"

{

"Effect": "Allow",

"Action": [

"kms:Decrypt"

"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

}

]

}

For more information on the parameter store, please visit the below URL:

https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html

To allow an application running on EC2 instances to access secrets stored in SSM Parameter Store with type SecureString using the customer-managed KMS CMK, the following configuration steps must be taken:

Add permission to read the SSM parameter to the EC2 instance role. C. Add permission to read the SSM parameter to the EC2 instance role to grant permission to the EC2 instance role to read the secret stored in the SSM Parameter Store.
Add the kms:Decrypt permission in the EC2 instance role so that the EC2 instances can use the KMS key. D. Add the kms:Decrypt permission in the EC2 instance role so that the EC2 instances can use the KMS key to decrypt the secret.

Explanation of the incorrect options:

A. Add the EC2 instance role as a trusted service to the SSM service role. This option is incorrect because it would allow the SSM service role to access the EC2 instance role, which is not necessary for this use case.

B. Add permission to use the KMS key to decrypt to the SSM service role. This option is incorrect because it would allow the SSM service role to use the KMS key to decrypt the secret, which is not necessary for this use case.

E. Add the SSM service role as a trusted service to the EC2 instance role. This option is incorrect because it would allow the EC2 instance role to access the SSM service role, which is not necessary for this use case.

Prev Question Next Question