Amazon SAP-C02 Exam - Topic 3 Question 26 Discussion

Actual exam question for Amazon's SAP-C02 exam

Question #: 26
Topic #: 3

A company has Linux-based Amazon EC2 instances. Users must access the instances by using SSH with EC2 SSH Key pairs. Each machine requires a unique EC2 Key pair.

The company wants to implement a key rotation policy that will, upon request, automatically rotate all the EC2 key pairs and keep the key in a securely encrypted place. The company will accept less than 1 minute of downtime during key rotation.

Which solution will meet these requirement?

AStore all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public Keys on EC2 instances. Update the private keys in Secrets Manager.

BStore all the keys in Parameter. Store, a capability of AWS Systems Manager, as a string. Define a Systems Manager maintenance window to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instance. Update the private keys in parameter.

CImport the EC2 key pairs into AWS Key Management Service (AWS KMS). Configure automatic key rotation for these key pairs. Create an Amazon EventlBridge scheduled rule to invoke an AWS Lambda function to initiate the key rotation AWS KMS.

DAdd all the EC2 instances to Feet Manager, a capability of AWS Systems Manager. Define a Systems Manager maintenance window to issue a Systems Manager Run Command document to generate new Key pairs and to rotate public keys to all the instances in Feet Manager.

Show Suggested Answer

Suggested Answer: A

To meet the requirements for automatic key rotation of EC2 SSH key pairs with minimal downtime, storing the keys in AWS Secrets Manager and defining a rotation schedule is the most suitable solution. AWS Secrets Manager supports automatic rotation of secrets, including SSH keys, by invoking a Lambda function that can handle the creation of new key pairs and the replacement of public keys on EC2 instances. Updating the corresponding private keys in Secrets Manager ensures secure and centralized management of SSH keys, complying with the key rotation policy and minimizing operational overhead.

AWS Secrets Manager Documentation: Describes how to store and rotate secrets, including SSH keys, using Secrets Manager and Lambda functions.

AWS Lambda Documentation: Provides information on creating Lambda functions for custom secret rotation logic.

AWS Best Practices for Security: Highlights the importance of key rotation and how AWS services like Secrets Manager can facilitate secure and automated key management.

by Tonette at Mar 19, 2024, 12:44 AM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Clare

3 months ago

I agree with A, it’s the most straightforward solution!

upvoted 0 times

...

Lonny

3 months ago

D seems like overkill for just key rotation.

upvoted 0 times

...

Mozelle

3 months ago

C is interesting, but can KMS really handle EC2 key pairs?

upvoted 0 times

...

Elly

4 months ago

I think B could work too, but it seems a bit more complicated.

upvoted 0 times

...

Malinda

4 months ago

Option A sounds solid, using Secrets Manager is a good move.

upvoted 0 times

...

Craig

4 months ago

I vaguely recall something about Systems Manager and maintenance windows, but I'm not clear on how it integrates with EC2 key pairs. Option D seems a bit complex.

upvoted 0 times

...

Taryn

4 months ago

I feel like AWS KMS is more for encryption keys rather than EC2 key pairs. I’m not confident about option C, but it does mention automatic rotation, which is a plus.

upvoted 0 times

...

Twana

4 months ago

I think option A sounds familiar; it seems like a common approach for securely managing secrets. I practiced a similar question about rotating database credentials.

upvoted 0 times

...

Felix

5 months ago

I remember studying AWS Secrets Manager for key management, but I'm not entirely sure if it supports automatic key rotation for EC2 key pairs.

upvoted 0 times

...

Colette

5 months ago

This seems like a classic AWS architecture design question. I'm confident I can work through the options and identify the one that best meets the stated requirements. The 1-minute downtime limit is an important constraint to keep in mind.

upvoted 0 times

...

Chauncey

5 months ago

Hmm, this is a tricky one. I'm a bit confused about the differences between the various AWS services mentioned - Secrets Manager, Systems Manager, KMS, etc. I'll need to review the details of each to determine the best fit.

upvoted 0 times

...

Teddy

5 months ago

This looks like a straightforward AWS-focused question. I think I can approach it systematically by evaluating each option and considering the key requirements like security, automation, and downtime.

upvoted 0 times

...

Antione

5 months ago

Okay, I've got a strategy here. The key is finding a solution that can automatically rotate the keys, keep them securely encrypted, and minimize downtime. I'm leaning towards option A or B since they both mention using a Lambda function to handle the rotation process.

upvoted 0 times

...

Herminia

5 months ago

Okay, let me think this through. The goal of Lean is to deliver maximum customer value in the shortest sustainable lead time. So the answer must be something that supports that goal, like a continuous delivery pipeline or improved capacity allocation. I'm going to go with B.

upvoted 0 times

...

Sharita

5 months ago

Hmm, I'm a bit unsure about this one. I know the Cisco WSA has different configuration modes, but I can't recall the specific one for setting up Kerberos authentication. I'll have to think this through carefully.

upvoted 0 times

...

Jackie

5 months ago

I remember studying the features of Aurora, and I think backtracking might be the right choice since it can roll back in the same cluster.

upvoted 0 times

...

Cheryl

5 months ago

Hmm, I'm a bit confused by the wording of the options. I'll need to carefully read through each one to make sure I understand what they're asking.

upvoted 0 times

...

Adolph

2 years ago

Thanks, Selma. I just think option A might be more practical for our company's needs. But it's good to consider all the options.

upvoted 0 times

...

Selma

2 years ago

I see your point, Adolph. Option C does have the advantage of leveraging AWS KMS for key management. It could be a good choice as well.

upvoted 0 times

...

Jamal

2 years ago

I personally prefer option B. Storing keys in Parameter Store and using Systems Manager for maintenance window scheduling seems like a simple and effective solution.

upvoted 0 times

...

Adolph

2 years ago

I disagree with you, Selma. I believe option C is the most suitable choice. Importing keys into AWS KMS and setting up automatic rotation seems like a more streamlined approach.

upvoted 0 times

...

Selma

2 years ago

I think option A is the best solution. Storing keys in AWS Secrets Manager and using Lambda function for rotation sounds secure and efficient.

upvoted 0 times

...

Cheryll

2 years ago

I personally think option D is better. Adding instances to Feet Manager for key rotation seems like a straightforward approach.

upvoted 0 times

...

Yoko

2 years ago

That's true, Gilma. Option C provides automatic rotation, which could be more convenient in the long run.

upvoted 0 times

...

Gilma

2 years ago

But what about option C? Importing key pairs into AWS KMS and setting up automatic rotation also seems like a good choice.

upvoted 0 times

...

Laurena

2 years ago

I agree with Yoko. Storing keys in AWS Secrets Manager and using Lambda function for rotation seems efficient.

upvoted 0 times

...

Yoko

2 years ago

I think option A sounds like a good solution for key rotation policy.

upvoted 0 times

...

Merrilee

2 years ago

What about Option C with AWS KMS? If we can configure automatic key rotation and use EventBridge to trigger the rotation, that might be the best way to meet the downtime requirement.

upvoted 0 times

Dante

2 years ago

Option C it is then, let's implement this solution for our EC2 instances.

upvoted 0 times

...

Adelle

2 years ago

Agreed, AWS KMS with automatic key rotation and EventBridge triggering seems like the way to go.

upvoted 0 times

...

Stephaine

2 years ago

Let's go with Option C then, it seems like the most suitable solution for our needs.

upvoted 0 times

...

Lucina

2 years ago

Automatic key rotation can definitely help in keeping the instances secure without causing much downtime.

upvoted 0 times

...

Alisha

2 years ago

It's important to ensure the key rotation process is smooth and quick to meet the downtime requirement.

upvoted 0 times

...

Boris

2 years ago

I agree, configuring automatic key rotation with AWS KMS and using EventBridge for triggering sounds like a solid plan.

upvoted 0 times

...

Leatha

2 years ago

Option C sounds like a good choice. Using AWS KMS for automatic key rotation seems efficient.

upvoted 0 times

...

Carol

2 years ago

No kidding! I don't even want to think about the potential for human error. Automation is definitely the way to go here.

upvoted 0 times

...

Joni

2 years ago

That's a good point. KMS could handle the key rotation more seamlessly and reduce the downtime. Plus, it's a secure service for storing the keys.

upvoted 0 times

...

Leandro

2 years ago

True, but we also need to consider the downtime requirement. I'm not sure if Secrets Manager can guarantee less than 1 minute of downtime during the rotation.

upvoted 0 times

...