AWS Certified Solutions Architect – Associate (SAA-C02) — Question 504

A company has several web servers that need to frequently access a common Amazon RDS MySQL Multi-AZ DB instance. The company wants a secure method for the web servers to connect to the database while meeting a security requirement to rotate user credentials frequently.
Which solution meets these requirements?

Answer options

• A. Store the database user credentials in AWS Secrets Manager. Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager.
• B. Store the database user credentials in AWS Systems Manager OpsCenter. Grant the necessary IAM permissions to allow the web servers to access OpsCenter.
• C. Store the database user credentials in a secure Amazon S3 bucket. Grant the necessary IAM permissions to allow the web servers to retrieve credentials and access the database.
• D. Store the database user credentials in files encrypted with AWS Key Management Service (AWS KMS) on the web server file system. The web server should be able to decrypt the files and access the database.

Correct answer: A

Explanation

AWS Secrets Manager natively supports automatic rotation for Amazon RDS database credentials, making it the ideal choice to satisfy the frequent rotation requirement securely. Other options like Amazon S3, local encrypted files, or AWS Systems Manager OpsCenter do not offer built-in, automated credential rotation for RDS. Using Secrets Manager combined with IAM roles on the web servers ensures secure, programmatic access without hardcoding credentials.