0Pricing
AWS Solutions Architect · Lesson

Secure Architecture Scenarios

Work through scenario questions on IAM least privilege, encryption, VPC isolation, and WAF/Shield to lock in your security domain knowledge.

Scenario 1: Least-Privilege EC2 S3 Access

Scenario: An EC2 instance runs a web application that needs to read objects from a specific S3 bucket. The security team requires that no long-term credentials are stored on the instance and that access follows the principle of least privilege. Solution: Create an IAM role with a policy allowing only s3:GetObject on the specific bucket ARN. Attach the role to the EC2 instance as an instance profile. The application uses the instance metadata service (IMDS) to retrieve temporary credentials automatically — no stored keys needed.

# IAM policy for least-privilege EC2 -> S3 read
{
  'Version': '2012-10-17',
  'Statement': [{
    'Effect': 'Allow',
    'Action': ['s3:GetObject'],
    'Resource': 'arn:aws:s3:::my-app-bucket/*'
  }]
}

# Attach role to EC2 instance
aws ec2 associate-iam-instance-profile \
  --instance-id i-1234567890abcdef0 \
  --iam-instance-profile Name=EC2S3ReadRole

Scenario 2: Encrypting Data in an RDS Database

Scenario: A company stores customer PII in an RDS PostgreSQL database. The compliance team requires encryption at rest with the ability to audit key usage. Solution: Enable RDS encryption using AWS KMS with a Customer Managed Key (CMK). The CMK allows the security team to control key rotation, view key usage in CloudTrail, and revoke access if needed. Note: encryption must be enabled at RDS instance creation — you cannot encrypt an existing unencrypted RDS instance in place. To encrypt an existing DB, take a snapshot, copy it with encryption enabled, and restore from the encrypted snapshot.

# Create an encrypted RDS instance
aws rds create-db-instance \
  --db-instance-identifier prod-postgres \
  --db-instance-class db.t3.medium \
  --engine postgres \
  --master-username admin \
  --master-user-password SecurePass123! \
  --storage-encrypted \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/mrk-abc123 \
  --allocated-storage 100

All lessons in this course

  1. Secure Architecture Scenarios
  2. Resilient and Highly Available Architecture Scenarios
  3. High-Performance and Cost-Optimised Scenarios
  4. Mixed Domain Full-Length Mini Exam
← Back to AWS Solutions Architect