AWS Certified Database – Specialty — Question 58

A company is developing a multi-tier web application hosted on AWS using Amazon Aurora as the database. The application needs to be deployed to production and other non-production environments. A Database Specialist needs to specify different MasterUsername and MasterUserPassword properties in the AWS
CloudFormation templates used for automated deployment. The CloudFormation templates are version controlled in the company's code repository. The company also needs to meet compliance requirement by routinely rotating its database master password for production.
What is most secure solution to store the master password?

Answer options

• A. Store the master password in a parameter file in each environment. Reference the environment-specific parameter file in the CloudFormation template.
• B. Encrypt the master password using an AWS KMS key. Store the encrypted master password in the CloudFormation template.
• C. Use the secretsmanager dynamic reference to retrieve the master password stored in AWS Secrets Manager and enable automatic rotation.
• D. Use the ssm dynamic reference to retrieve the master password stored in the AWS Systems Manager Parameter Store and enable automatic rotation.

Correct answer: C

Explanation

The correct answer is C because using AWS Secrets Manager allows for secure storage and automatic rotation of the database master password, meeting compliance requirements. Options A and B are less secure as they involve static storage of passwords, and option D, while secure, does not provide the same level of convenience for password rotation as AWS Secrets Manager.