AWS Certified Security – Specialty — Question 318

A company is using AWS Secrets Manager to manage database credentials that an application uses to access Amazon DocumentDB (with MongoDB compatibility). The company needs to implement automated password rotation.

Which solution will meet this requirement with the LEAST administrative overhead?

Answer options

• A. Create a new AWS Lambda function to manage the password rotation. Turn on automatic password rotation in Secrets Manager. Associate the rotation with the Lambda function.
• B. Turn on automatic password rotation in Secrets Manager. Configure Secrets Manager to create a new AWS Lambda function to manage the password rotation.
• C. Use the SecretsManagerRotationTemplate from the AWS Serverless Application Model (AWS SAM) to create a new AWS Lambda function. Change the vpc-config option of the Lambda function to include the subnet IDs when Amazon DocumentDB is hosted.
• D. Use the SecretsManagerRotationTemplate from the AWS Serverlss Application Model (AWS SAM) to create three new AWS Lambda functions: createSecret, setSecret, and testSecret. Change the vpc-config option of all three Lambda functions to include the subnet IDs where Amazon DocumentDB is hosted.

Correct answer: B

Explanation

AWS Secrets Manager provides native integration to automatically create and configure the rotation AWS Lambda function for supported databases like Amazon DocumentDB. Choosing this option requires the least administrative effort because AWS handles the deployment and configuration of the rotation function. Options A, C, and D involve manually writing code or deploying templates through AWS SAM, which increases operational complexity and overhead.