AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Storing credentials: S3 perferable to DynamoDB?

In the security quiz, there’s a question about storing credentials, and the answer is to store credentials in an encrypted file in S3.  Another answer is to store the creds in DynamoDB, which seems equally reasonable.  DynamoDB tables can be encrypted, and access can be restricted just the same as s3, so what makes S3 the better choice?

Paul Schwarzenberger

Hi Andy, I just went through the quiz and also chose DynamoDB. However the DynamoDB option says assign an IAM policy to the EC2 instance, whereas the S3 option says assign an IAM role to the EC2 instance.

Paul Schwarzenberger

You have to associate an IAM policy with the IAM role, and then assign the IAM role to the EC2 instance – so I agree that the S3 option is the correct answer


Thanks, Paul!

2 Answers

Hi Andy,

This is a good example of a subtle nuence that you’ll see on the CSAP exam time and time again.  You have to be careful to not fill in stuff that is not explicitly stated in the question.  Also, this question is an example of identifying the "least worst" option.  We have to pick the best of the offerings even though we know there are better ways. 

In this case, DynamoDB is a possibility and we could store the object on an encrypted table or encrypt it via GPG before we store it in Dynamo.   We could do many things with many services.  However, the answer does not SAY using an encrypted table and thus we must assume that the credentials will be stored in plain text.   Therefore, it makes that option "more worse" than the S3 option.

Yes, this may be silly, but it is how the exam is structured so we want to be sure to train you in that mindset.


K Troshin

DynamoDB should be encrypted by default, is it not?

K Troshin

The only issue is that there is an IAM Policy that should be assigned to the instance, not a role like in case of S3, as mentioned by Paul Schwarzenberger. On the other hand, if we take it very precisely, IAM Roles also can`t be assigned to EC2 instances directly, because you need to create an instance profile and associate it with a role first …

My thinking was more about costs and operational ease. I chose S3 because having some files in encrypted S3 is significantly cheaper than having a DynamoDB table. It is also easier to manage read rights to specific keys through S3 policies than DynamoDB.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?