AWS Certified Database – Specialty — Question 185

A company is creating a serverless application that uses multiple AWS services and stores data on an Amazon RDS DB instance. The database credentials must be stored securely. An AWS Lambda function must be able to access the credentials. The company also must rotate the database password monthly by using an automated solution.

What should a database specialist do to meet those requirements in the MOST secure manner?

Answer options

• A. Store the database credentials by using AWS Systems Manager Parameter Store. Enable automatic rotation of the password. Use the AWS Cloud Development Kit (AWS CDK) in the Lambda function to retrieve the credentials from Parameter Store
• B. Encrypt the database credentials by using AWS Key Management Service (AWS KMS). Store the credentials in Amazon S3. Use an S3 Lifecycle policy to rotate the password. Retrieve the credentials by using Python code in Lambda
• C. Store the database credentials by using AWS Secrets Manager. Enable automatic rotation of the password. Configure the Lambda function to use the Secrets Manager API to retrieve the credentials
• D. Store the database credentials in an Amazon DynamoDB table. Assign an IAM role to the Lambda function to grant the Lambda function read-only access to the DynamoDB table. Rotate the password by using another Lambda function that runs monthly

Correct answer: C

Explanation

The correct answer is C because AWS Secrets Manager is specifically designed for securely storing and managing secrets, including automatic rotation of database credentials. Option A lacks the dedicated secret management and rotation capabilities of Secrets Manager. Option B is less secure due to storing credentials in S3, which is not ideal for sensitive information. Option D involves unnecessary complexity with DynamoDB and does not leverage a purpose-built solution for secret management.