AWS Certified Solutions Architect – Associate (SAA-C03) — Question 890

A company has a custom application with embedded credentials that retrieves information from a database in an Amazon RDS for MySQL DB cluster. The company needs to make the application more secure with minimal programming effort. The company has created credentials on the RDS for MySQL database for the application user.

Which solution will meet these requirements?

Answer options

• A. Store the credentials in AWS Key Management Service (AWS KMS). Create keys in AWS KMS. Configure the application to load the database credentials from AWS KMS. Enable automatic key rotation
• B. Store the credentials in encrypted local storage. Configure the application to load the database credentials from the local storage. Set up a credentials rotation schedule by creating a cron job.
• C. Store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule by creating an AWS Lambda function for Secrets Manager.
• D. Store the credentials in AWS Systems Manager Parameter Store. Configure the application to load the database credentials from Parameter Store. Set up a credentials rotation schedule in the RDS for MySQL database by using Parameter Store.

Correct answer: C

Explanation

AWS Secrets Manager is specifically designed to protect secrets like database credentials and natively supports automated rotation using AWS Lambda functions. AWS KMS is intended for key management rather than secret storage and rotation, while AWS Systems Manager Parameter Store does not natively support out-of-the-box credential rotation for RDS databases. Encrypted local storage with cron jobs introduces administrative overhead and does not align with AWS security best practices.