Q34 — AWS SAA-C03 第3章
第 34/65 题 | ← 返回第3章
Q164.一家公司每月对其 AWS 基础设施进行维护.在这些维护活动期间,该公司需要在多个 AWS 区域轮换其 Amazon RDS for MySQL 数据库的凭证.哪种解决方案能够以最少的运营开销满足这些要求?
- A. 将凭证作为机密存储在 AWS Secrets Manager 中.对所需区域使用多区域秘密复制.配置 Secrets Manager 以按计划轮换密钥 ✓
- B. 通过创建安全字符串参数将凭证作为机密存储在 AWS Systems Manager 中.对所需区域使用多区域秘密复制.配置 Systems Manager 以按计划轮换机密.
- C. 将凭据存储在启用了服务器端加密 (SSE) 的 Amazon S3 存储桶中.使用 Amazon EventBridge (Amazon CloudWatch Events) 调用 AWS Lambda 函数来轮换凭证.
- D. 使用 AWS Key Management Service (AWS KMS) 多区域客户托管密钥将凭证加密为机密.将机密存储在 Amazon DynamoDB 全局表中.使用 AWS Lambda 函数从 DynamoDB 检索机密.使用 RDS API 轮换密钥.
正确答案: A. 将凭证作为机密存储在 AWS Secrets Manager 中.对所需区域使用多区域秘密复制.配置 Secrets Manager 以按计划轮换密钥
解析
To meet the requirement of rotating the credentials for Amazon RDS for MySQL databases across multiple AWS Regions during monthly maintenance activities with the least operational overhead, a solutions architect should store the credentials as secrets in AWS Secrets Manager and use multi-Region secret replication for the required Regions. The solution should be configured to rotate the secrets on a schedule. Therefore, option A is the correct answer.Option B suggests using AWS Systems Manager instead of AWS Secrets Manager, which is not ideal as Systems Manager is not specifically designed for storing and rotating secrets.Option C suggests storing the credentials in an S3 bucket and using Amazon EventBridge to invoke a Lambda function to rotate the credentials. While this could work, it requires more manual configuration and does not provide the same level of integration and automation as using AWS Secrets Manager.Option D suggests using KMS to encrypt the credentials, storing them in a DynamoDB global table, and using a Lambda function to retrieve and rotate the secrets using the RDS API. This approach can work but requires more manual configuration and does not provide the same level of integration and automation as using AWS Secrets Manager.AWS Secrets Manager is designed specifically for storing and rotating secrets, providing a simple and fully managed solution for managing credentials. Using multi-Region secret replication ensures that the credentials are available in all required Regions, while configuring rotation on a schedule minimizes operational overhead. This approach provides a secure, scalable, and reliable solution for rotating credentials for Amazon RDS for MySQL databases. 为了满足在每月维护活动期间以最小的操作开销跨多个AWS区域轮换MySQL数据库的Amazon RDS凭据的需求,解决方案架构师应该将凭据作为秘密存储在AWS秘密管理器中,并为所需的区域使用多区域秘密复制。解决方案应该配置为按计划轮换这些秘密。因此,选项A是正确答案。选项B建议使用AWS系统管理器而不是AWS秘密管理器,这不是理想的,因为系统管理器不是专门为存储和旋转秘密而设计的。选项C建议将凭据存储在S3桶中,并使用Amazon EventBridge调用Lambda函数来旋转凭据。虽然这可以工作,但它需要更多的手动配置,并且不能提供与使用AWS Secrets Manager相同级别的集成和自动化。选项D建议使用KMS加密凭证,将它们存储在DynamoDB全局表中,并使用Lambda函数使用RDS API检索和旋转秘密。这种方法可以工作,但需要更多的手动配置,并且不能提供与使用AWS Secrets Manager相同级别的集成和自动化。AWS秘密管理器专为存储和轮换秘密而设计,为管理凭据提供了简单且完全托管的解决方案。使用多区域秘密复制可确保凭据在所有所需的区域中可用,同时按计划配置轮换可最大限度地减少操作开销。这种方法为MySQL数据库的Amazon RDS轮换凭据提供了一种安全、可扩展和可靠的解决方案。