Open in app

Sign in

Write

Sign in

AWS Solutions Architect Professional — Exam Dumps

김영석
2 min readMay 7, 2020

Problem

An AWS customer is deploying an application that is composed of an AutoScalingGroup of EC2 instances. The customer’s security policy requires that every outbound connection from these instances to any other services within the customer’s VPC must be authenticated using X.509 certificate that contains the specific instance-id.

In addition, all X.509 certificates must be signed by the customer’s key management service in order to be trusted for authentication.

Which of the following configurations will support these requirements?

A. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the AutoScalingGroup to launch instances with the role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.

B. Configure the Auto Scaling Group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the key management service generate a signed certificate and send it directly to the newly launched instance.

C. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling Group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the key management service for signature.

D. Configure the launched instances to generate a new certificate upon first boot. Have the key management service poll the AutoScalingGroup for associated instances and send new instances a certificate signature that contains the specific instance-id.

Answer: B

Explanation

A. Newly launched instances should have their own certificates that are specific to their own instance-id. But in this case, S3 has a certificate that has been signed already without considering any specific instance-id.

B. This solution can satisfy all requirements such as instance-id specific certificate.

C. Just like case A, an embedded certificate cannot have a specific instance-id in itself.

D. In this case, instances should generate certificates by themselves, not leaving it to the customer key management service.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Sa Professional
AWS
Exam
Dump

김영석
김영석

Written by 김영석

251 Followers
281 Following

I love problem solving and hate repetition of tedious tasks. I like automating, streamlining, optimizing, things.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams