AWS Certified Security – Specialty (SCS-C02) — Question 84

A security engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.

Which combination of steps can the engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Answer options

• A. Have a database administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
• B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the engineer that the application needs to be restarted.
• C. Configure automatic rotation of credentials in AWS Secrets Manager.
• D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
• E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Correct answer: C, E

Explanation

The correct answers are C and E because AWS Secrets Manager provides built-in functionality for automatic credential rotation, minimizing downtime, and E allows the application to dynamically retrieve updated credentials during runtime. Options A and D involve additional manual steps and storage methods that do not inherently manage credential rotation as efficiently as Secrets Manager, while B requires an application restart, which is counterproductive to minimizing downtime.