An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the customer-managed KMS CMK.
Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below.

Answer options:

A.Add the EC2 instance role as a trusted service to the SSM service role.
B.Add permission to use the KMS key to decrypt to the SSM service role.
C.Add permission to read the SSM parameter to the EC2 instance role.
D.Add the kms:Decrypt permission in the EC2 instance role so that the EC2 instances can use the KMS key.
E.Add the SSM service role as a trusted service to the EC2 instance role. 

Answer: C and D
Option A is incorrect because an EC2 service role can be attached to the EC2 service instead of SSM.
Option B is incorrect because it is the EC2 instance instead of the SSM service role that requires access to encrypt and decrypt.
Option C is CORRECT because the EC2 instance role needs permission to read the SSM parameter.
Option D is CORRECT because the EC2 instance role needs to have permission to use the KMS key to decrypt so that the application can get the secrets via the API.
Option E is incorrect because the EC2 instance role does not need to trust the SSM service.
The below example policy from the AWS Documentation is required to be given to the EC2 Instance to read a secure string from AWS KMS. Permissions need to be given to the Get Parameter API and the KMS API call to decrypt the secret.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:/parameter/ReadableParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
For more information on the parameter store, please visit the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html