AWS Certified Database – Specialty — Question 72

A company is going through a security audit. The audit team has identified cleartext master user password in the AWS CloudFormation templates for Amazon
RDS for MySQL DB instances. The audit team has flagged this as a security risk to the database team.
What should a database specialist do to mitigate this risk?

Answer options

• A. Change all the databases to use AWS IAM for authentication and remove all the cleartext passwords in CloudFormation templates.
• B. Use an AWS Secrets Manager resource to generate a random password and reference the secret in the CloudFormation template.
• C. Remove the passwords from the CloudFormation templates so Amazon RDS prompts for the password when the database is being created.
• D. Remove the passwords from the CloudFormation template and store them in a separate file. Replace the passwords by running CloudFormation using a sed command.

Correct answer: B

Explanation

Option B is correct because using AWS Secrets Manager allows for secure management of sensitive information, such as passwords, by referencing them in the CloudFormation template without exposing them in plaintext. Option A, while improving security, does not address the immediate issue of cleartext passwords in templates. Option C creates a less automated process and could lead to user error, while option D still exposes passwords and does not utilize AWS's security features effectively.