AWS Certified Solutions Architect – Associate (SAA-C02) — Question 445

A company has an application that calls AWS Lambda functions. A code review shows that database credentials are stored in a Lambda function's source code, which violates the company's security policy. The credentials must be securely stored and must be automatically rotated on an ongoing basis to meet security policy requirements.
What should a solutions architect recommend to meet these requirements in the MOST secure manner?

Answer options

• A. Store the password in AWS CloudHSM. Associate the Lambda function with a role that can use the key ID to retrieve the password from CloudHSM. Use CloudHSM to automatically rotate the password.
• B. Store the password in AWS Secrets Manager. Associate the Lambda function with a role that can use the secret ID to retrieve the password from Secrets Manager. Use Secrets Manager to automatically rotate the password.
• C. Store the password in AWS Key Management Service (AWS KMS). Associate the Lambda function with a role that can use the key ID to retrieve the password from AWS KMS. Use AWS KMS to automatically rotate the uploaded password.
• D. Move the database password to an environment variable that is associated with the Lambda function. Retrieve the password from the environment variable by invoking the function. Create a deployment script to automatically rotate the password.

Correct answer: B

Explanation

AWS Secrets Manager is specifically designed to protect secrets like database credentials and natively supports automatic rotation for various database types. AWS KMS and AWS CloudHSM are designed for cryptographic key management rather than storing and rotating application credentials. Using environment variables with custom rotation scripts is less secure and increases operational complexity compared to the native rotation capabilities of Secrets Manager.