SAP-C02 第 131 题
题目
A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts. In an AWS application account, the company’s application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company's database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed m the application account. The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets. Which solution will meet these requirements?
中文翻译:
一家公司使用 AWS Organizations 在 AWS 云中进行多账户设置。该公司使用 AWS Control Tower 进行治理,并使用 AWS Transit Gateway 实现跨账户的 VPC 连接。在 AWS 应用程序账户中,该公司的应用程序团队部署了一个使用 AWS Lambda 和 Amazon RDS 的 Web 应用程序。公司的数据库管理员拥有独立的DBA帐户,并使用该帐户集中管理整个组织内的所有数据库。数据库管理员使用部署在 DBA 账户中的 Amazon EC2 实例来访问部署在应用程序账户中的 RDS 数据库。应用程序团队已将数据库凭证作为机密存储在应用程序账户的 AWS Secrets Manager 中。应用程序团队正在与数据库管理员手动共享机密。这些密钥由应用程序账户中 Secrets Manager 的默认 AWS 托管密钥进行加密。解决方案架构师需要实现一个解决方案,使数据库管理员能够访问数据库,并且无需手动共享机密。哪种解决方案可以满足这些要求?
选项
A. Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the shared secrets. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
中文翻译:
使用 AWS Resource Access Manager (AWS RAM) 与 DBA 账户共享应用程序账户中的密钥。在 DBA 账户中,创建名为 DBA-Admin 的 IAM 角色。授予角色访问共享机密所需的权限。将 DBA 管理员角色附加到 EC2 实例以访问跨账户机密。
B. In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets
中文翻译:
在应用程序账户中,创建一个名为 DBA-Secret 的 IAM 角色。授予角色访问机密所需的权限。在 DBA 账户中,创建名为 DBA-Admin 的 IAM 角色。授予 DBA-Admin 角色所需的权限,以在应用程序帐户中担任 DBA-Secret 角色。将 DBA 管理员角色附加到 EC2 实例以访问跨账户机密
C. In the DBA account create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
中文翻译:
在 DBA 账户中创建一个名为 DBA-Admin 的 IAM 角色。授予角色访问应用程序账户中的密钥和默认 AWS 托管密钥所需的权限。在应用程序帐户中,将基于资源的策略附加到密钥以允许从 DBA 帐户进行访问。将 DBA 管理员角色附加到 EC2 实例以访问跨账户机密。
D. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
中文翻译:
在 DBA 账户中,创建名为 DBA-Admin 的 IAM 角色。授予角色访问应用程序帐户中的机密所需的权限。将 SCP 附加到应用程序帐户以允许从 DBA 帐户访问机密。将 DBA 管理员角色附加到 EC2 实例以访问跨账户机密。
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 在应用程序账户中,创建一个名为 DBA-Secret 的 IAM 角色。授予角色访问机密所需的权限。在 DBA 账户中,创建名为 DBA-Admin 的 IAM 角色。授予 DBA-Admin 角色所需的权限,以在应用程序帐户中担任 DBA-Secret 角色。将 DBA 管理员角色附加到 EC2 实例以访问跨账户机密 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-...