AWS Certified Developer – Associate (DVA-C02) — Question 400

A company has an ecommerce web application that uses an on-premises MySQL database as a data store. The company migrates the on-premises MySQL database to Amazon RDS for MySQL.

A developer needs to configure the application's access to the RDS for MySQL database. The developer's solution must not use long term credentials.

Which solution will meet these requirements?

Answer options

• A. Enable IAM database authentication on the RDS for MySQL DB instance. Create an IAM role that has the minimum required permissions. Assign the role to the application.
• B. Store the MySQL credentials as secrets in AWS Secrets Manager. Create an IAM role that has the minimum required permissions to retrieve the secrets. Assign the role to the application.
• C. Configure the MySQL credentials as environment variables that are available at runtime for the application.
• D. Store the MySQL credentials as SecureString parameters in AWS Systems Manager Parameter Store. Create an IAM role that has the minimum required permissions to retrieve the parameters. Assign the role to the application.

Correct answer: A

Explanation

Enabling IAM database authentication allows the application to authenticate to the RDS for MySQL DB instance using short-lived IAM credentials, completely eliminating the need for long-term database passwords. While using AWS Secrets Manager, Parameter Store, or environment variables can secure or store database secrets, they still ultimately rely on static, long-term database credentials. Therefore, IAM database authentication coupled with an IAM role is the only solution that avoids long-term credentials entirely.