AWS Certified Database – Specialty — Question 329

A security team is conducting an audit for a financial company. The security team discovers that the database credentials of an Amazon RDS for MySQL DB instance are hardcoded in the source code. The source code is stored in a shared location for automatic deployment and is exposed to all users who can access the location.
A database specialist must use encryption to ensure that the credentials are not visible in the source code.
Which solution will meet these requirements?

Answer options

• A. Use an AWS Key Management Service (AWS KMS) key to encrypt the most recent database backup. Restore the backup as a new database to activate encryption.
• B. Store the source code to access the credentials in an AWS Systems Manager Parameter Store secure string parameter that is encrypted by AWS Key Management Service (AWS KMS). Access the code with calls to Systems Manager.
• C. Store the credentials in an AWS Systems Manager Parameter Store secure string parameter that is encrypted by AWS Key Management Service (AWS KMS). Access the credentials with calls to Systems Manager.
• D. Use an AWS Key Management Service (AWS KMS) key to encrypt the DB instance at rest. Activate RDS encryption in transit by using SSL certificates.

Correct answer: C

Explanation

Storing the database credentials as a secure string in AWS Systems Manager Parameter Store encrypted by AWS KMS (Option C) allows the application to retrieve the credentials dynamically at runtime, removing them from the hardcoded source code. Option B is incorrect because storing the application source code itself in Parameter Store is not a viable solution. Options A and D are incorrect because they address database-level encryption (at rest and in transit) rather than resolving the issue of exposed credentials in the source code repository.