AWS Certified Developer – Associate (DVA-C02) — Question 194

A company needs to set up secure database credentials for all its AWS Cloud resources. The company’s resources include Amazon RDS DB instances, Amazon DocumentDB clusters, and Amazon Aurora DB instances. The company’s security policy mandates that database credentials be encrypted at rest and rotated at a regular interval.

Which solution will meet these requirements MOST securely?

Answer options

• A. Set up IAM database authentication for token-based access. Generate user tokens to provide centralized access to RDS DB instances, Amazon DocumentDB clusters, and Aurora DB instances.
• B. Create parameters for the database credentials in AWS Systems Manager Parameter Store. Set the Type parameter to SecureString. Set up automatic rotation on the parameters.
• C. Store the database access credentials as an encrypted Amazon S3 object in an S3 bucket. Block all public access on the S3 bucket. Use S3 server-side encryption to set up automatic rotation on the encryption key.
• D. Create an AWS Lambda function by using the SecretsManagerRotationTemplate template in the AWS Secrets Manager console. Create secrets for the database credentials in Secrets Manager. Set up secrets rotation on a schedule.

Correct answer: D

Explanation

The correct answer is D because AWS Secrets Manager is specifically designed for managing secrets securely, including automatic rotation, encryption at rest, and integration with various AWS services. Option A does not provide encryption for credentials at rest, and while option B offers some security, it lacks the robust features of Secrets Manager. Option C, although it secures credentials in S3, does not have built-in rotation capabilities and is less ideal for sensitive database credentials.