A security engineer determined that an existing application retrieves credentials to an A…

Question

A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:
✑ The database must use strong, randomly generated passwords stored in a secure AWS managed service.
✑ The application resources must be deployed through AWS CloudFormation.
✑ The application must rotate credentials for the database every 90 days.
A solutions architect will generate a CloudFormation template to deploy the application.
Which resources specified in the CloudFormation template will meet the security engineer's requirements with the LEAST amount of operational overhead?

Accepted Answer

Correct answer: A. A. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days. — AWS Secrets Manager is the ideal service for managing database credentials and natively integrates with AWS Lambda and CloudFormation via the RotationSchedule resource to automate rotations. AWS Systems Manager Parameter Store does not natively support a RotationSchedule resource, ruling out Options B and D. While Option C is technically feasible, using Amazon EventBridge to trigger rotation introduces more operational overhead than using the built-in Secrets Manager RotationSchedule resource.

AWS Certified Solutions Architect – Professional — Question 402

Answer options

Correct answer: A

Explanation