AWS Certified Security – Specialty — Question 82

A Security Engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password.
Which combination of steps can the Engineer take to protect the credentials and minimize downtime when the credentials are rotated? (Choose two.)

Answer options

• A. Have a Database Administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext.
• B. Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the Engineer that the application needs to be restarted.
• C. Configure automatic rotation of credentials in AWS Secrets Manager.
• D. Store the credential in an encrypted string parameter in AWS Systems Manager Parameter Store. Grant permission to the instance role associated with the EC2 instance to access the parameter and the AWS KMS key that is used to encrypt it.
• E. Configure the Java application to catch a connection failure and make a call to AWS Secrets Manager to retrieve updated credentials when the password is rotated. Grant permission to the instance role associated with the EC2 instance to access Secrets Manager.

Correct answer: C, E

Explanation

The correct answers are C and E because AWS Secrets Manager automates credential rotation, providing a seamless way to manage and update credentials without downtime. Option E enhances this by allowing the application to dynamically retrieve updated credentials, preventing connection failures. Options A, B, and D do not effectively minimize downtime or utilize automatic credential rotation as efficiently as C and E do.