Q34 — AWS SAA-C03 第3章

第 34/65 题 | ← 返回第3章

Q164.一家公司每月对其 AWS 基础设施进行维护.在这些维护活动期间,该公司需要在多个 AWS 区域轮换其 Amazon RDS for MySQL 数据库的凭证.哪种解决方案能够以最少的运营开销满足这些要求?

正确答案: A. 将凭证作为机密存储在 AWS Secrets Manager 中.对所需区域使用多区域秘密复制.配置 Secrets Manager 以按计划轮换密钥

解析

To meet the requirement of rotating the credentials for Amazon RDS for MySQL databases across multiple AWS Regions during monthly maintenance activities with the least operational overhead, a solutions architect should store the credentials as secrets in AWS Secrets Manager and use multi-Region secret replication for the required Regions. The solution should be configured to rotate the secrets on a schedule. Therefore, option A is the correct answer.Option B suggests using AWS Systems Manager instead of AWS Secrets Manager, which is not ideal as Systems Manager is not specifically designed for storing and rotating secrets.Option C suggests storing the credentials in an S3 bucket and using Amazon EventBridge to invoke a Lambda function to rotate the credentials. While this could work, it requires more manual configuration and does not provide the same level of integration and automation as using AWS Secrets Manager.Option D suggests using KMS to encrypt the credentials, storing them in a DynamoDB global table, and using a Lambda function to retrieve and rotate the secrets using the RDS API. This approach can work but requires more manual configuration and does not provide the same level of integration and automation as using AWS Secrets Manager.AWS Secrets Manager is designed specifically for storing and rotating secrets, providing a simple and fully managed solution for managing credentials. Using multi-Region secret replication ensures that the credentials are available in all required Regions, while configuring rotation on a schedule minimizes operational overhead. This approach provides a secure, scalable, and reliable solution for rotating credentials for Amazon RDS for MySQL databases. 为了满足在每月维护活动期间以最小的操作开销跨多个AWS区域轮换MySQL数据库的Amazon RDS凭据的需求,解决方案架构师应该将凭据作为秘密存储在AWS秘密管理器中,并为所需的区域使用多区域秘密复制。解决方案应该配置为按计划轮换这些秘密。因此,选项A是正确答案。选项B建议使用AWS系统管理器而不是AWS秘密管理器,这不是理想的,因为系统管理器不是专门为存储和旋转秘密而设计的。选项C建议将凭据存储在S3桶中,并使用Amazon EventBridge调用Lambda函数来旋转凭据。虽然这可以工作,但它需要更多的手动配置,并且不能提供与使用AWS Secrets Manager相同级别的集成和自动化。选项D建议使用KMS加密凭证,将它们存储在DynamoDB全局表中,并使用Lambda函数使用RDS API检索和旋转秘密。这种方法可以工作,但需要更多的手动配置,并且不能提供与使用AWS Secrets Manager相同级别的集成和自动化。AWS秘密管理器专为存储和轮换秘密而设计,为管理凭据提供了简单且完全托管的解决方案。使用多区域秘密复制可确保凭据在所有所需的区域中可用,同时按计划配置轮换可最大限度地减少操作开销。这种方法为MySQL数据库的Amazon RDS轮换凭据提供了一种安全、可扩展和可靠的解决方案。