Q76 — AWS DVA-C02 Ch.1
Question 76 of 100 | ← Chapter 1
A company hosts its application on AWS. The application runs on an Amazon Elastic Container Service (Amazon ECS) cluster using AWS Fargate. The cluster runs behind an Application Load Balancer. The application stores data in an Amazon Aurora database. Developers manage and encrypt the database credentials in the application. The company wants a more secure credential storage mechanism with automated, periodic credential rotation. Which solution meets these requirements with the lowest operational overhead?
- A. Migrate secrets to an Amazon RDS parameter group. Encrypt parameters using an AWS Key Management Service (AWS KMS) key. Enable credential rotation. Grant AWS KMS permissions to Amazon RDS using IAM policies and roles.
- B. Migrate credentials to AWS Systems Manager Parameter Store. Encrypt parameters using an AWS Key Management Service (AWS KMS) key. Enable credential rotation. Grant Amazon ECS Fargate permissions to access AWS Secrets Manager using IAM policies and roles.
- C. Migrate credentials to ECS Fargate environment variables. Encrypt credentials using an AWS Key Management Service (AWS KMS) key. Enable credential rotation. Grant Amazon ECS Fargate permissions to access AWS Secrets Manager using IAM policies and roles.
- D. Migrate credentials to AWS Secrets Manager. Encrypt credentials using an AWS Key Management Service (AWS KMS) key. Enable credential rotation. Grant Amazon ECS Fargate permissions to access AWS Secrets Manager using IAM policies and roles. ✓
Correct Answer: D. Migrate credentials to AWS Secrets Manager. Encrypt credentials using an AWS Key Management Service (AWS KMS) key. Enable credential rotation. Grant Amazon ECS Fargate permissions to access AWS Secrets Manager using IAM policies and roles.
Explanation
Option A is incorrect because Amazon RDS parameter groups are not designed for storing application-level database credentials for Aurora. Option B is suboptimal because Parameter Store does not natively support automatic credential rotation for external services like Aurora. Option C is insecure because storing credentials in environment variables exposes them to the container runtime. Option D is correct: AWS Secrets Manager is purpose-built for managing, rotating, and securely retrieving secrets, and integrates natively with Amazon ECS Fargate with minimal operational overhead.