2 Answers
Hi Andy,
This is a good example of a subtle nuence that you’ll see on the CSAP exam time and time again. You have to be careful to not fill in stuff that is not explicitly stated in the question. Also, this question is an example of identifying the "least worst" option. We have to pick the best of the offerings even though we know there are better ways.
In this case, DynamoDB is a possibility and we could store the object on an encrypted table or encrypt it via GPG before we store it in Dynamo. We could do many things with many services. However, the answer does not SAY using an encrypted table and thus we must assume that the credentials will be stored in plain text. Therefore, it makes that option "more worse" than the S3 option.
Yes, this may be silly, but it is how the exam is structured so we want to be sure to train you in that mindset.
–Scott
DynamoDB should be encrypted by default, is it not?
The only issue is that there is an IAM Policy that should be assigned to the instance, not a role like in case of S3, as mentioned by Paul Schwarzenberger. On the other hand, if we take it very precisely, IAM Roles also can`t be assigned to EC2 instances directly, because you need to create an instance profile and associate it with a role first …
My thinking was more about costs and operational ease. I chose S3 because having some files in encrypted S3 is significantly cheaper than having a DynamoDB table. It is also easier to manage read rights to specific keys through S3 policies than DynamoDB.
Hi Andy, I just went through the quiz and also chose DynamoDB. However the DynamoDB option says assign an IAM policy to the EC2 instance, whereas the S3 option says assign an IAM role to the EC2 instance.
You have to associate an IAM policy with the IAM role, and then assign the IAM role to the EC2 instance – so I agree that the S3 option is the correct answer
Thanks, Paul!