Q61 — AWS SAA-C03 第3章
第 61/65 题 | ← 返回第3章
Q191.一家公司正在 AWS 上开发一个两层网络应用程序.该公司的开发人员已将应用程序部署在直接连接到后端 Amazon RDS 数据库的 Amazon EC2 实例上.公司不得在应用程序中对数据库凭据进行硬编码.公司还必须实施一种解决方案,以定期自动轮换数据库凭据.哪种解决方案能够以最少的运营开销满足这些要求?
- A. 将数据库凭证存储在实例元数据中.使用 Amazon EventBridge (Amazon CloudWatch Events) 规则运行计划的 AWS Lambda 函数,同时更新 RDS 凭证和实例元数据.
- B. 将数据库凭据存储在加密的 Amazon S3 存储桶中的配置文件中.使用 Amazon EventBridge (Amazon CloudWatch Events) 规则运行计划的 AWS Lambda 函数,该函数同时更新 RDS 凭证和配置文件中的凭证.使用 S3 版本控制确保能够回退到以前的值.
- C. 将数据库凭证作为秘密存储在 AWS Secrets Manager 中.为密文开启自动轮换.将所需权限附加到 EC2 角色以授予对密钥的访问权限. ✓
- D. 将数据库凭证作为加密参数存储在 AWS Systems Manager Parameter Store 中.为加密参数开启自动轮换.将所需权限附加到 EC2 角色以授予对加密参数的访问权限.
正确答案: C. 将数据库凭证作为秘密存储在 AWS Secrets Manager 中.为密文开启自动轮换.将所需权限附加到 EC2 角色以授予对密钥的访问权限.
解析
To store database credentials securely and rotate them automatically on a regular basis with the least operational overhead, a company should store the database credentials as a secret in AWS Secrets Manager and enable automatic rotation for the secret. The EC2 role should be granted permission to access the secret. Therefore, option C is the correct answer.Option A suggests storing the database credentials in instance metadata and using Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time. While this approach may work, it requires more configuration management compared to using AWS Secrets Manager.Option B suggests storing the database credentials in an encrypted Amazon S3 bucket and using Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. While this approach may work, it requires more configuration management compared to using AWS Secrets Manager.Option D suggests storing the database credentials as encrypted parameters in AWS Systems Manager Parameter Store and enabling automatic rotation for the encrypted parameters. The EC2 role should be granted permission to access the encrypted parameters. While this approach may work, it is not designed specifically for secrets management and does not provide the same level of security and ease of use as AWS Secrets Manager.By using AWS Secrets Manager to store database credentials as a secret and enabling automatic rotation, the company can ensure that the credentials are rotated automatically without requiring any manual intervention. The EC2 role can be granted permission to access the secret, which provides a secure way to manage sensitive information without hardcoding the credentials in the application. This solution meets the requirements stated in the question with minimal operational overhead. 为了安全地存储数据库凭据并以最小的操作开销定期自动轮换它们,公司应该将数据库凭据作为秘密存储在AWS秘密管理器中,并启用该秘密的自动轮换。应该授予EC2角色访问秘密的权限。因此,选项C是正确答案。选项A建议将数据库凭据存储在实例元数据中,并使用Amazon EventBridge (Amazon CloudWatch Events)规则运行预定的AWS Lambda函数,该函数同时更新RDS凭据和实例元数据。虽然这种方法可能有效,但与使用AWS Secrets Manager相比,它需要更多的配置管理。选项B建议将数据库凭据存储在加密的Amazon S3桶中,并使用Amazon EventBridge (Amazon CloudWatch Events)规则运行预定的AWS Lambda函数,该函数同时更新RDS凭据和配置文件中的凭据。虽然这种方法可能有效,但与使用AWS Secrets Manager相比,它需要更多的配置管理。选项D建议将数据库凭证作为加密参数存储在AWS Systems Manager Parameter Store中,并启用加密参数的自动轮换。应该授予EC2角色访问加密参数的权限。虽然这种方法可能有效,但它不是专门为秘密管理而设计的,并且不提供与AWS秘密管理器相同级别的安全性和易用性。通过使用AWS Secrets Manager将数据库凭据存储为机密并启用自动轮换,公司可以确保自动轮换凭据,而无需任何人工干预。EC2角色可以被授予访问秘密的权限,这提供了一种安全的方式来管理敏感信息,而无需在应用程序中硬编码凭据。该解决方案以最小的操作开销满足问题中所述的需求。