AWS Certified Solutions Architect – Associate (SAA-C02) — Question 334
A company has a custom application with embedded credentials that retrieves information from an Amazon RDS MySQL DB instance. Management says the application must be made more secure with the least amount of programming effort.
What should a solutions architect do to meet these requirements?
Answer options
- A. Use AWS Key Management Service (AWS KMS) customer master keys (CMKs) to create keys. Configure the application to load the database credentials from AWS KMS. Enable automatic key rotation.
- B. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Create an AWS Lambda function that rotates the credentials in Secret Manager.
- C. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager.
- D. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Systems Manager Parameter Store. Configure the application to load the database credentials from Parameter Store. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Parameter Store.
Correct answer: C
Explanation
AWS Secrets Manager natively supports automatic credential rotation for Amazon RDS MySQL databases without requiring a custom Lambda function, providing the most secure solution with the least amount of development effort. While AWS KMS manages encryption keys, it does not store or rotate database credentials directly. AWS Systems Manager Parameter Store is a configuration management service that lacks native, out-of-the-box database credential rotation capabilities compared to Secrets Manager.