AWS Certified Security – Specialty — Question 273

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data. During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company's source code repository.
A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only. The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrative overhead.
Which solution meets these requirements?

Answer options

• A. Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
• B. Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
• C. Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
• D. Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Correct answer: D

Explanation

AWS Secrets Manager is the optimal choice because it natively supports automatic credential rotation for Amazon RDS, which minimizes administrative overhead compared to Systems Manager Parameter Store. To restrict access to only the authorized application containers, IAM roles for ECS tasks should be used to grant the necessary permissions. This combination secures the credentials, automates lifecycle management, and prevents unauthorized sharing of plaintext credentials.