AWS Certified Security – Specialty (SCS-C02) — Question 108

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials.

The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.

Which solution will meet the requirements?

Answer options

• A. Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.
• B. Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.
• C. Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.
• D. Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS.

Correct answer: A

Explanation

The correct answer is A because using a dynamic reference allows the CloudFormation template to securely retrieve sensitive database credentials directly from AWS Secrets Manager without hardcoding them. Option B is incorrect as encrypting the template does not directly handle sensitive values. Option C, while it mentions Secrets Manager, does not utilize dynamic references which are crucial for security. Option D incorrectly suggests referencing an encrypted value in AWS KMS instead of directly using Secrets Manager.