AWS Certified Database – Specialty — Question 92

A company has an AWS CloudFormation template written in JSON that is used to launch new Amazon RDS for MySQL DB instances. The security team has asked a database specialist to ensure that the master password is automatically rotated every 30 days for all new DB instances that are launched using the template.
What is the MOST operationally efficient solution to meet these requirements?

Answer options

• A. Save the password in an Amazon S3 object. Encrypt the S3 object with an AWS KMS key. Set the KMS key to be rotated every 30 days by setting the EnableKeyRotation property to true. Use a CloudFormation custom resource to read the S3 object to extract the password.
• B. Create an AWS Lambda function to rotate the secret. Modify the CloudFormation template to add an AWS::SecretsManager::RotationSchedule resource. Configure the RotationLambdaARN value and, for the RotationRules property, set the AutomaticallyAfterDays parameter to 30.
• C. Modify the CloudFormation template to use the AWS KMS key as the database password. Configure an Amazon EventBridge rule to invoke the KMS API to rotate the key every 30 days by setting the ScheduleExpression parameter to ***/30***.
• D. Integrate the Amazon RDS for MySQL DB instances with AWS IAM and centrally manage the master database user password.

Correct answer: B

Explanation

The correct answer is B because it directly utilizes AWS Secrets Manager, which is designed for managing and rotating secrets, ensuring the master password is automatically changed every 30 days. Option A is less efficient as it involves manual processes with S3 and does not provide automatic rotation. Option C incorrectly suggests using KMS for password management, which is not suitable. Option D focuses on IAM integration but does not address the password rotation requirement effectively.