AWS Certified Security – Specialty — Question 221

A company has developed a new Amazon RDS database application. The company must secure the RDS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.
Which solution meets these requirements?

Answer options

• A. Use AWS Systems Manager Parameter Store to store the database credentials. Configure automatic rotation of the credentials.
• B. Use AWS Secrets Manager to store the database credentials. Configure automatic rotation of the credentials.
• C. Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3). Rotate the credentials with IAM database authentication.
• D. Store the database credentials in Amazon S3 Glacier, and use S3 Glacier Vault Lock. Configure an AWS Lambda function to rotate credentials on a scheduled basis.

Correct answer: B

Explanation

The correct answer is B because AWS Secrets Manager is specifically designed for managing and rotating secrets like database credentials, providing encryption in transit and at rest. Option A, while using Parameter Store, does not automatically support credential rotation as efficiently as Secrets Manager. Options C and D involve S3 storage, which is not the best practice for managing sensitive database credentials due to potential accessibility and security concerns.