Q34 — AWS SAA-C03 Ch.3
Question 34 of 65 | ← Chapter 3
Q164. A company performs monthly maintenance on its AWS infrastructure. During these maintenance activities, the company needs to rotate the credentials for its Amazon RDS for MySQL databases across multiple AWS Regions.Which solution will meet these requirements with the LEAST operational overhead?
- A. Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule ✓
- B. Store the credentials as secrets in AWS Systems Manager by creating a secure string parameter. Use multi-Region secret replication for the required Regions. Configure Systems Manager to rotate the secrets on a schedule.
- C. Store the credentials in an Amazon S3 bucket that has server-side encryption (SSE) enabled. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Lambda function to rotate the credentials.
- D. Encrypt the credentials as secrets by using AWS Key Management Service (AWS KMS) multi-Region customer managed keys. Store the secrets in an Amazon DynamoDB global table. Use an AWS Lambda function to retrieve the secrets from DynamoDB. Use the RDS API to rotate the secrets.
Correct Answer: A. Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule
Explanation
To meet the requirement of rotating the credentials for Amazon RDS for MySQL databases across multiple AWS Regions during monthly maintenance activities with the least operational overhead, a solutions architect should store the credentials as secrets in AWS Secrets Manager and use multi-Region secret replication for the required Regions. The solution should be configured to rotate the secrets on a schedule. Therefore, option A is the correct answer.Option B suggests using AWS Systems Manager instead of AWS Secrets Manager, which is not ideal as Systems Manager is not specifically designed for storing and rotating secrets.Option C suggests storing the credentials in an S3 bucket and using Amazon EventBridge to invoke a Lambda function to rotate the credentials. While this could work, it requires more manual configuration and does not provide the same level of integration and automation as using AWS Secrets Manager.Option D suggests using KMS to encrypt the credentials, storing them in a DynamoDB global table, and using a Lambda function to retrieve and rotate the secrets using the RDS API. This approach can work but requires more manual configuration and does not provide the same level of integration and automation as using AWS Secrets Manager.AWS Secrets Manager is designed specifically for storing and rotating secrets, providing a simple and fully managed solution for managing credentials. Using multi-Region secret replication ensures that the credentials are available in all required Regions, while configuring rotation on a schedule minimizes operational overhead. This approach provides a secure, scalable, and reliable solution for rotating credentials for Amazon RDS for MySQL databases.