AWS Certified Solutions Architect – Associate (SAA-C03) — Question 297
A company has a custom application with embedded credentials that retrieves information from an Amazon RDS MySQL DB instance. Management says the application must be made more secure with the least amount of programming effort.
What should a solutions architect do to meet these requirements?
Answer options
- A. Use AWS Key Management Service (AWS KMS) to create keys. Configure the application to load the database credentials from AWS KMS. Enable automatic key rotation.
- B. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Create an AWS Lambda function that rotates the credentials in Secret Manager.
- C. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager.
- D. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Systems Manager Parameter Store. Configure the application to load the database credentials from Parameter Store. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Parameter Store.
Correct answer: C
Explanation
AWS Secrets Manager natively supports automatic rotation of credentials for Amazon RDS MySQL databases without requiring developers to write custom rotation code, satisfying the requirement for the least programming effort. While AWS Systems Manager Parameter Store (Option D) and custom Lambda functions (Option B) can manage or rotate secrets, they require significantly more development and configuration effort. AWS KMS (Option A) is designed for managing cryptographic keys rather than storing and rotating database credentials.