Q58 — AWS DVA-C02 Ch.1
Question 58 of 100 | ← Chapter 1
A company uses AWS CloudFormation templates as part of its AWS CodePipeline–based CI/CD automation to deploy all Amazon RDS DB instances. The DB instance master password must be automatically generated during deployment. Which solution satisfies these requirements with minimal development effort?
- A. Create a CloudFormation custom resource backed by AWS Lambda. Write Lambda code to generate a secure string. Return the secure string value in the custom resource response object's Data field. Retrieve the value using the CloudFormation Fn::GetAtt intrinsic function and use it to create the DB instance.
- B. Use an AWS CodeBuild action in CodePipeline to generate a secure string via the AWS CLI command: aws secretsmanager get-random-password. Pass the generated secure string as a CloudFormation parameter with the NoEcho property set to true. Reference the parameter when creating the DB instance.
- C. Create a CloudFormation custom resource backed by AWS Lambda. Write Lambda code to generate a secure string. Return the secure string value in the custom resource response object's Data field. Retrieve the value using the CloudFormation Fn::GetAtt intrinsic function. Store the secure string in AWS Secrets Manager. Use a secretsmanager dynamic reference to retrieve the stored value when creating the DB instance.
- D. Use an AWS::SecretsManager::Secret resource to generate a secure string. Store the secure string as a secret in AWS Secrets Manager. Use a secretsmanager dynamic reference to retrieve the stored value when creating the DB instance. ✓
Correct Answer: D. Use an AWS::SecretsManager::Secret resource to generate a secure string. Store the secure string as a secret in AWS Secrets Manager. Use a secretsmanager dynamic reference to retrieve the stored value when creating the DB instance.
Explanation
Option D’s solution leverages AWS Secrets Manager to generate and store the secure string, then uses a secretsmanager dynamic reference to inject that value into the DB instance creation. This is a valid and recommended solution because AWS Secrets Manager is purpose-built for managing sensitive information, providing secure storage and fine-grained access control.