An application is deployed and running on an EC2 instance.
The application uses Amazon RDS as a database.
What is the secure method to authenticate to the Amazon RDS database from the EC2 application?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because access key ID and secret access key are not used to authenticate and access Amazon RDS databases.
Option B is CORRECT because Amazon RDS supports IAM authentication.
This is done by creating an IAM user and role with access to the database and generating a temporary authentication token.
Option C is incorrect because embedding user id and password in the application source code is not a good security practice as they are in unencrypted form.
Changing of user id or password requires code change.
Option D is incorrect because storing the credentials in EC2 instance user data is not a good security practice.
They are stored unencrypted.
Further, updating the user id or password requires stopping the EC2 instance.
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.htmlThe secure method to authenticate to the Amazon RDS database from the EC2 application is to use an IAM user and role, and generate an authentication token. Therefore, option B is the correct answer.
Option A, storing the access key ID and secret access key in the System Manager Parameter Store, is not secure as these credentials can be easily accessed by anyone with access to the EC2 instance.
Option C, embedding the database user id and password in the application source code, is also not secure as the credentials are visible to anyone with access to the source code, and can be compromised if the code repository is breached.
Option D, storing credentials in the EC2 instance user data, is also not secure as the user data can be accessed by anyone with access to the EC2 instance.
Using an IAM user and role, and generating an authentication token is the recommended method to authenticate to Amazon RDS. This involves creating an IAM user with the necessary permissions to access the RDS database, and then creating an IAM role that grants the necessary permissions to the EC2 instance. The EC2 instance can then assume the IAM role and generate an authentication token that can be used to authenticate to the RDS database. This method is secure as it uses temporary credentials that expire after a set period of time, and the credentials are not stored on the EC2 instance or in the application code.