AWS Certified Developer – Associate (DVA-C02) — Question 132

A company created four AWS Lambda functions that connect to a relational database server that runs on an Amazon RDS instance. A security team requires the company to automatically change the database password every 30 days.

Which solution will meet these requirements MOST securely?

Answer options

• A. Store the database credentials in the environment variables of the Lambda function. Deploy the Lambda function with the new credentials every 30 days.
• B. Store the database credentials in AWS Secrets Manager. Configure a 30-day rotation schedule for the credentials.
• C. Store the database credentials in AWS Systems Manager Parameter Store secure strings. Configure a 30-day schedule for the secure strings.
• D. Store the database credentials in an Amazon S3 bucket that uses server-side encryption with customer-provided encryption keys (SSE-C). Configure a 30-day key rotation schedule for the customer key.

Correct answer: B

Explanation

Option B is the most secure solution because AWS Secrets Manager is specifically designed for managing sensitive information, including automatic rotation of database credentials. Option A is less secure as it involves hardcoding credentials in environment variables and requires redeployment. Option C, while secure, does not provide the same level of automation and ease of use as Secrets Manager. Option D exposes the credentials in an S3 bucket, which is not ideal for sensitive data storage.