AWS Certified Solutions Architect – Associate (SAA-C02) — Question 441

A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases.
Which solution meets this requirement with the LEAST operational overhead?

Answer options

• A. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
• B. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
• C. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
• D. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).

Correct answer: A

Explanation

AWS Secrets Manager natively supports automatic password rotation for Amazon RDS databases, including PostgreSQL, with minimal configuration, making it the solution with the least operational overhead. AWS Systems Manager Parameter Store does not natively support automatic rotation, and writing a custom AWS Lambda function to handle it introduces additional development and maintenance overhead. AWS KMS is designed for cryptographic key management rather than storing and rotating application or database credentials directly.