Q50 — AWS SAA-C03 Ch.4
Question 50 of 105 | ← Chapter 4
Q245. A company has an application that runs on Amazon EC2instances and uses an Amazon Aurora database. The EC2instances connect to the database by using user names and passwords that are stored locally in a file. The company wants to minimize the operational overhead of credential management. What should a solutions architect do to accomplish this goal?
- A. Use AWS Secrets Manager. Turn on automatic rotation. ✓
- B. Use AWS Systems Manager Parameter Store. Turn on automatic rotation.
- C. Create an Amazon S3 bucket to store objects that are encrypted with an AWS Key Management Service (AWS KMS) encryption key. Migrate the credential file to the S3 bucket. Point the application to the S3 bucket.
- D. Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume for each EC2instance. Attach the new EBS volume to each EC2 instance. Migrate the credential file to the new EBS volume. Point the application to the new EBS volume.
Correct Answer: A. Use AWS Secrets Manager. Turn on automatic rotation.
Explanation
Storing authentication credentials in a local file on EC2 instances is not a secure solution and could lead to credentials being compromised. AWS provides a service, AWS Secrets Manager, that helps you protect secrets needed to access your applications, services, and IT resources while enabling you to easily rotate and manage permissions and access. Using AWS Secrets Manager allows the company to store the database user name and password securely in a secret, which can be accessed by the application on the EC2 instances. The solution also provides the ability to enable automatic rotation of secrets. This feature reduces operational overhead associated with manual rotation of secrets and improves security by regularly rotating secrets. Therefore, option A is the correct solution for minimizing the operational overhead of credential management and improving security.