Q7 — AWS SCS-C02 Ch.1

Question 7 of 100 | ← Chapter 1

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager. Which solution will meet the requirements?

Correct Answer: A. Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

Explanation

AWS CloudFormation动态引用支持直接从Secrets Manager获取敏感数据,无需明文存储。《AWS Secrets Manager用户指南》指出,动态引用通过`{{resolve:secretsmanager:secret-id}}`语法安全检索秘密值。选项A利用此机制,确保数据库凭证在模板中不暴露。选项B的加密模板无法防止参数明文传输的风险。选项C和D涉及的SecureString参数属于Systems Manager Parameter Store,与题目中已使用的Secrets Manager不符。正确答案A符合安全最佳实践。