Q61 — AWS SAA-C03 Ch.3
Question 61 of 65 | ← Chapter 3
Q191. A company is developing a two-tier web application on AWS. The company's developers have deployed the application on an Amazon EC2 instance that connects directly to a backend Amazon RDS database. The company must not hardcode database credentials in the application. The company must also implement a solution to automatically rotate the database credentials on a regular basis. Which solution will meet these requirements with the LEAST operational overhead?
- A. Store the database credentials in the instance metadata. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time.
- B. Store the database credentials in a configuration file in an encrypted Amazon S3 bucket. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. Use S3 Versioning to ensure the ability to fall back to previous values.
- C. Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret. ✓
- D. Store the database credentials as encrypted parameters in AWS Systems Manager Parameter Store.Turn on automatic rotation for the encrypted parameters. Attach the required permission to the EC2 role to grant access to the encrypted parameters.
Correct Answer: C. Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret.
Explanation
To store database credentials securely and rotate them automatically on a regular basis with the least operational overhead, a company should store the database credentials as a secret in AWS Secrets Manager and enable automatic rotation for the secret. The EC2 role should be granted permission to access the secret. Therefore, option C is the correct answer.Option A suggests storing the database credentials in instance metadata and using Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time. While this approach may work, it requires more configuration management compared to using AWS Secrets Manager.Option B suggests storing the database credentials in an encrypted Amazon S3 bucket and using Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. While this approach may work, it requires more configuration management compared to using AWS Secrets Manager.Option D suggests storing the database credentials as encrypted parameters in AWS Systems Manager Parameter Store and enabling automatic rotation for the encrypted parameters. The EC2 role should be granted permission to access the encrypted parameters. While this approach may work, it is not designed specifically for secrets management and does not provide the same level of security and ease of use as AWS Secrets Manager.By using AWS Secrets Manager to store database credentials as a secret and enabling automatic rotation, the company can ensure that the credentials are rotated automatically without requiring any manual intervention. The EC2 role can be granted permission to access the secret, which provides a secure way to manage sensitive information without hardcoding the credentials in the application. This solution meets the requirements stated in the question with minimal operational overhead.