SAP-C02 第 206 题
题目
A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company's developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only members of the IT security team's IAM user group can access. This key must be rotated on a regular basis. What should a solutions architect do in the production environment to meet these requirements?
中文翻译:
一家公司正在使用需要访问 Amazon RDS 上的 Microsoft SQL Server 数据库实例的 AWS Lambda 函数来实施无服务器架构。该公司拥有独立的开发和生产环境,包括数据库系统的克隆。该公司的开发人员可以访问开发数据库的凭据。但是,生产数据库的凭证必须使用只有 IT 安全团队的 IAM 用户组成员才能访问的密钥进行加密。该密钥必须定期轮换。解决方案架构师应该在生产环境中做什么来满足这些要求?
选项
A. Store the database credentials in AWS Systems Manager Parameter Store by using a SecureString parameter that is encrypted by an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the SecureString parameter. Restrict access to the SecureString parameter and the customer managed key so that only the IT security team can access the parameter and the key.
中文翻译:
使用由 AWS Key Management Service (AWS KMS) 客户托管密钥加密的 SecureString 参数将数据库凭证存储在 AWS Systems Manager Parameter Store 中。将角色附加到每个 Lambda 函数以提供对 SecureString 参数的访问。限制对 SecureString 参数和客户管理密钥的访问,以便只有 IT 安全团队才能访问该参数和密钥。
B. Encrypt the database credentials by using the AWS Key Management Service (AWS KMS) default Lambda key. Store the credentials in the environment variables of each Lambda function. Load the credentials from the environment variables in the Lambda code. Restrict access to the KMS key so that only the IT security team can access the key.
中文翻译:
使用 AWS Key Management Service (AWS KMS) 默认 Lambda 密钥加密数据库凭证。将凭证存储在每个 Lambda 函数的环境变量中。从 Lambda 代码中的环境变量加载凭证。限制对 KMS 密钥的访问,以便只有 IT 安全团队才能访问该密钥。
C. Store the database credentials in the environment variables of each Lambda function. Encrypt the environment variables by using an AWS Key Management Service (AWS KMS) customer managed key. Restrict access to the customer managed key so that only the IT security team can access the key.
中文翻译:
将数据库凭据存储在每个 Lambda 函数的环境变量中。使用 AWS Key Management Service (AWS KMS) 客户托管密钥加密环境变量。限制对客户管理密钥的访问,以便只有 IT 安全团队才能访问该密钥。
D. Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret. Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key.
中文翻译:
将数据库凭证作为与 AWS Key Management Service (AWS KMS) 客户托管密钥关联的密钥存储在 AWS Secrets Manager 中。将角色附加到每个 Lambda 函数以提供对密钥的访问。限制对机密和客户管理密钥的访问,以便只有 IT 安全团队才能访问机密和密钥。
答案
D
解析
正确答案:D 解析: 本题应选择 D。 正确选项: D. 将数据库凭证作为与 AWS Key Management Service (AWS KMS) 客户托管密钥关联的密钥存储在 AWS Secrets Manager 中。将角色附加到每个 Lambda 函数以提供对密钥的访问。限制对机密和客户管理密钥的访问,以便只有 IT 安全团队才能访问机密和密钥。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要...