Q48 — AWS DVA-C02 Ch.2
Question 48 of 100 | ← Chapter 2
A company runs an application on Amazon EC2 instances. The EC2 instances connect to an Amazon RDS for SQL Server database. A developer needs to store and access credentials securely and rotate them automatically. The developer does not want to store database credentials in code. Which solution meets these requirements in the most secure way?
- A. Create an IAM role with permissions to access the database and attach the IAM role to the EC2 instance.
- B. Store credentials as secrets in AWS Secrets Manager. Create an AWS Lambda function to update the secrets and the database password. Retrieve credentials from Secrets Manager as needed. ✓
- C. Store credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance launch template to download the credentials from Amazon S3 at instance launch. Create an AWS Lambda function to update the secrets and the database.
- D. Store credentials in an Amazon DynamoDB table. Configure an Amazon CloudWatch Events rule to invoke an AWS Lambda function to periodically update the secrets and the database.
Correct Answer: B. Store credentials as secrets in AWS Secrets Manager. Create an AWS Lambda function to update the secrets and the database password. Retrieve credentials from Secrets Manager as needed.
Explanation
Option B recommends storing credentials in AWS Secrets Manager, a secure way to store and manage sensitive data because Secrets Manager provides encrypted storage and automatic credential rotation. By creating an AWS Lambda function to update credentials in Secrets Manager and the database password, credential rotation can be performed regularly. Applications retrieve credentials from Secrets Manager instead of embedding them in code, reducing the risk of credential exposure. Therefore, Option B is the most secure solution. 【Lantern Certification provided by: swufelp1999】