Q19 — AWS DVA-C02 Ch.1
Question 19 of 100 | ← Chapter 1
A company must use AWS CloudFormation templates to deploy all its Amazon RDS database instances as part of an AWS CodePipeline continuous integration and continuous delivery (CI/CD) automation. The database instance master password must be automatically generated during deployment. Which solution satisfies these requirements with minimal development effort?
- A. Create a Lambda-backed CloudFormation custom resource. Write Lambda code to generate a secure string. Return the secure string value in the custom resource response object’s Data field. Use the CloudFormation Fn::GetAtt intrinsic function to retrieve the secure string value. Use that value to create the database instance.
- B. Use an AWS CodeBuild action in CodePipeline to generate a secure string via the following AWS CLI command: `aws secretsmanager get-random-password`. Pass the generated secure string as a CloudFormation parameter with the NoEcho property set to true. Reference the parameter when creating the database instance. ✓
- C. Create a Lambda-backed CloudFormation custom resource. Write Lambda code to generate a secure string. Return the secure string value in the custom resource response object’s Data field. Use the CloudFormation Fn::GetAtt intrinsic function to retrieve the secure string value. Create a secret in AWS Secrets Manager. Use a Secrets Manager dynamic reference to retrieve the stored value when creating the database instance.
- D. Use the AWS::SecretsManager::Secret resource to generate a secure string. Store the secure string as a secret in AWS Secrets Manager. Use a Secrets Manager dynamic reference to retrieve the stored value when creating the database instance.
Correct Answer: B. Use an AWS CodeBuild action in CodePipeline to generate a secure string via the following AWS CLI command: `aws secretsmanager get-random-password`. Pass the generated secure string as a CloudFormation parameter with the NoEcho property set to true. Reference the parameter when creating the database instance.
Explanation
Option B is optimal because it leverages AWS CLI and AWS Secrets Manager to generate and inject a secure string directly into CloudFormation as a parameter—without requiring custom Lambda functions or additional infrastructure. It integrates cleanly into CI/CD pipelines and avoids unnecessary complexity. Option A introduces custom resource development overhead. Option C adds redundant steps by storing the same value in Secrets Manager after generation. Option D relies solely on Secrets Manager but still requires extra configuration and permissions management compared to the streamlined parameter-based approach in option B.