AWS Certified Developer – Associate — Question 32

An application running on Amazon EC2 opens connections to an Amazon RDS SQL Server database. The developer does not want to store the user name and password for the database in the code. The developer would also like to automatically rotate the credentials.
What is the MOST secure way to store and access the database credentials?

Answer options

• A. Create an IAM role that has permissions to access the database. Attach the role to the EC2 instance.
• B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.
• C. Store the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance's user data to download the credentials from Amazon S3 as the instance boots.
• D. Store the user name and password credentials directly in the source code. No further action is needed because the source code is stored in a private repository.

Correct answer: B

Explanation

The most secure option is to use AWS Secrets Manager (option B), as it allows for safe storage, retrieval, and automatic rotation of credentials. Option A is incorrect because IAM roles do not store credentials; they provide access permissions. Option C is less secure due to the risk of exposing the S3 bucket. Option D is insecure, as hardcoding credentials in the source code is a bad practice, regardless of repository privacy.