Dynamodb can be a good option for this (as well as Secrets Manager, SSM, or s3 file). For example, look at https://github.com/fugue/credstash credstash. It uses KMS and dynamo to store secrets. There is nothing in the question that says using KMS is out of consideration.
Therefore I submit that "The only one that works and leads us away from hard-coding into more secure multi-layer control is storing on S3 and being dynamically read" is incorrect, dynamodb is also an option that moves you towards a more secure solution as well.
1 Answers
Hi Michael,
You’ve fallen into the Practitioner’s Curse trap and this is a trick that will trip you up on the exam especially if you’re experienced. You have to evaluate the question on what is written and nothing more…no additional Github projects or no additional services. The DynamoDB answer says "Store credentials in DynamoDB and create an IAM policy with access and assign to the EC2 instance." Is says nothing about encrypting them or using KMS.
If you use the "nothing says
–Scott
OK, thank you for your response. I remmeber back to the SAA course where Ryan repeated the point not to invent additional constraints that would rule out an answer. I believe his advice there and your advice here are in tension; but that can be ok. Thanks again
Still, I believe there is not enough variation between the two answers: "Store credentials in an encrypted file on S3 and create an IAM role with access assigning it to the EC2 instance." and "Store credentials in DynamoDB and create an IAM policy with access and assign to the EC2 instance." to be able to say definitely that the S3 answer is the only one that works and leads away from hard-coding. Dynamodb is encrypted at rest wtih KMS by default. Would you be so kind as to explain what would rule out dynamodb in this question? Thank you.
Shouldn’t it be an IAM Role to access DynamoDB, which makes it falsey?
I am also confused to why the DynamoDB solution does not work? I agree that DynamoDb is encrypted at rest with KMS by default so that’s not making extra criteria up… Is it because DynamoDB does not have encryption in transit by default?
@Laurent, thank you, your explanation does make sense to me. I hope @Scott Pletcher or someone from A Cloud Guru can confirm