An application running on EC2 instances must use a username and password to access a database.
The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below.
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - C and D.
Option A is incorrect because the entire service does not need to provide a trusted service.
Option B is incorrect because the EC2 instance requires access to encrypt and decrypt and not the SSM service role.
Option C is CORRECT because we need to add permission to read the SSM parameter to the EC2 instance role.
Option D is CORRECT because we need to add permission to use the KMS key to decrypt to the EC2 instance role which allows the application to access the secrets via the API.
Option E is incorrect because the entire service does not need to provide a trusted service.
The below example policy from the AWS Documentation is required to be given to the EC2 Instance in order to read a secure string from AWS KMS.
Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
For more information on the parameter store, please visit the below URL.
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.htmlTo allow an application running on EC2 instances to access secrets stored in the SSM Parameter Store, we need to perform the following steps:
Step 1: Add permission to read the SSM parameter to the EC2 instance role To allow the EC2 instance to read the secrets from the SSM Parameter Store, we need to grant permission to read the parameter to the EC2 instance role. This can be done by attaching the AmazonSSMReadOnlyAccess policy to the EC2 instance role.
Option C: Add permission to read the SSM parameter to the EC2 instance role is correct.
Step 2: Add permission to use the KMS key to decrypt to the SSM service role The SSM Parameter Store uses KMS to encrypt the secure string parameter values. To allow the SSM service role to decrypt the secrets, we need to grant permission to use the KMS key to the SSM service role. This can be done by adding the kms:Decrypt permission to the SSM service role.
Option B: Add permission to use the KMS key to decrypt to the SSM service role is correct.
Therefore, options C and B are the correct answers.
The other options are not required for this scenario: A. Add the EC2 instance role as a trusted service to the SSM service role. This is not required because the EC2 instance role only needs permission to read the SSM parameter, and does not need to communicate with the SSM service role. D. Add permission to use the KMS key to decrypt to the EC2 instance role. This is not required because the EC2 instance role does not need permission to decrypt the secrets, as the SSM service role handles the decryption. E. Add the SSM service role as a trusted service to the EC2 instance role. This is not required because the EC2 instance role only needs permission to read the SSM parameter, and does not need to communicate with the SSM service role.