AWS Certified Developer – Associate — Question 314

A developer manages an Amazon RDS for PostgreSQL database. An Amazon Elastic Container Service (Amazon ECS) container that uses AWS Fargate needs to modify the contents of the database during a nightly run.

Which combination of steps should the developer take to provide database access to the container in the MOST secure manner? (Choose two.)

Answer options

• A. Define a database secret in AWS Secrets Manager. Provide the credentials to the container by using the task definition.
• B. Define a password in AWS CloudFormation. Pass the password into the environment variables of the container.
• C. Enable IAM authentication for the database. Grant the appropriate permissions to the container.
• D. Use an Amazon Cognito identity pool to authenticate the container. Use the provided response token to connect to the database.
• E. Define an AWS Key Management Service (AWS KMS) key that encrypts the contents of the database. Grant permission to decrypt to the container.

Correct answer: A, C

Explanation

Enabling IAM database authentication (Option C) is highly secure because it eliminates the need to manage database credentials, relying instead on temporary AWS IAM security tokens. For standard password authentication, storing credentials in AWS Secrets Manager and injecting them securely via the ECS task definition (Option A) ensures that secrets are not exposed in plaintext. Passing passwords via CloudFormation environment variables (Option B) is insecure, Cognito (Option D) is not designed for direct RDS database authentication, and KMS permissions (Option E) secure storage encryption but do not grant database access.