Amazon Exam SAP-C02 Topic 3 Question 26 Discussion

Actual exam question for Amazon's SAP-C02 exam

Question #: 26
Topic #: 3

A company has Linux-based Amazon EC2 instances. Users must access the instances by using SSH with EC2 SSH Key pairs. Each machine requires a unique EC2 Key pair.

The company wants to implement a key rotation policy that will, upon request, automatically rotate all the EC2 key pairs and keep the key in a securely encrypted place. The company will accept less than 1 minute of downtime during key rotation.

Which solution will meet these requirement?

AStore all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public Keys on EC2 instances. Update the private keys in Secrets Manager.

BStore all the keys in Parameter. Store, a capability of AWS Systems Manager, as a string. Define a Systems Manager maintenance window to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instance. Update the private keys in parameter.

CImport the EC2 key pairs into AWS Key Management Service (AWS KMS). Configure automatic key rotation for these key pairs. Create an Amazon EventlBridge scheduled rule to invoke an AWS Lambda function to initiate the key rotation AWS KMS.

DAdd all the EC2 instances to Feet Manager, a capability of AWS Systems Manager. Define a Systems Manager maintenance window to issue a Systems Manager Run Command document to generate new Key pairs and to rotate public keys to all the instances in Feet Manager.

Show Suggested Answer

Suggested Answer: A

To meet the requirements for automatic key rotation of EC2 SSH key pairs with minimal downtime, storing the keys in AWS Secrets Manager and defining a rotation schedule is the most suitable solution. AWS Secrets Manager supports automatic rotation of secrets, including SSH keys, by invoking a Lambda function that can handle the creation of new key pairs and the replacement of public keys on EC2 instances. Updating the corresponding private keys in Secrets Manager ensures secure and centralized management of SSH keys, complying with the key rotation policy and minimizing operational overhead.

AWS Secrets Manager Documentation: Describes how to store and rotate secrets, including SSH keys, using Secrets Manager and Lambda functions.

AWS Lambda Documentation: Provides information on creating Lambda functions for custom secret rotation logic.

AWS Best Practices for Security: Highlights the importance of key rotation and how AWS services like Secrets Manager can facilitate secure and automated key management.

by Tonette at Mar 19, 2024, 12:44 AM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Merrilee

7 days ago

What about Option C with AWS KMS? If we can configure automatic key rotation and use EventBridge to trigger the rotation, that might be the best way to meet the downtime requirement.

upvoted 0 times

...

Carol

8 days ago

No kidding! I don't even want to think about the potential for human error. Automation is definitely the way to go here.

upvoted 0 times

...

Joni

9 days ago

That's a good point. KMS could handle the key rotation more seamlessly and reduce the downtime. Plus, it's a secure service for storing the keys.

upvoted 0 times

...

Leandro

10 days ago

True, but we also need to consider the downtime requirement. I'm not sure if Secrets Manager can guarantee less than 1 minute of downtime during the rotation.

upvoted 0 times

...