AWS Certified Developer – Associate (DVA-C02) — Question 252

A company runs an application on Amazon EC2 instances. The EC2 instances open connections to an Amazon RDS for SQL Server database. A developer needs to store and access the credentials and wants to automatically rotate the credentials. The developer does not want to store the credentials for the database in the code.

Which solution will meet these requirements in the MOST secure way?

Answer options

• A. Create an IAM role that has permissions to access the database. Attach the IAM role to the EC2 instances.
• B. Store the credentials as secrets in AWS Secrets Manager. Create an AWS Lambda function to update the secrets and the database. Retrieve the credentials from Secrets Manager as needed.
• C. Store the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance launch template to download the credentials from Amazon S3 as the instance launches. Create an AWS Lambda function to update the secrets and the database.
• D. Store the credentials in an Amazon DynamoDB table. Configure an Amazon CloudWatch Events rule to invoke an AWS Lambda function to periodically update the secrets and database.

Correct answer: B

Explanation

Option B is the most secure solution as AWS Secrets Manager is specifically designed for managing and automatically rotating secrets like database credentials. The other options either expose the credentials in less secure ways or do not provide automatic rotation, making them less suitable for this requirement.