AWS Certified Solutions Architect – Professional — Question 487
A company runs an application on AWS. An AWS Lambda function uses credentials to authenticate to an Amazon RDS for MySQL DB instance. A security risk assessment identified that these credentials are not frequently rotated. Also, encryption at rest is not enabled for the DB instance. The security team requires that both of these issues be resolved.
Which strategy should a solutions architect recommend to remediate these security risks?
Answer options
- A. Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
- B. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Modify the DB instance and enable encryption.
- C. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
- D. Configure the Lambda function to store and retrieve the database credentials as encrypted AWS Systems Manager Parameter Store parameters. Create another Lambda function to automatically rotate the credentials. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
Correct answer: A
Explanation
AWS Secrets Manager natively supports automatic credential rotation for Amazon RDS, resolving the credential rotation risk. For an existing unencrypted Amazon RDS DB instance, encryption at rest cannot be enabled directly; the standard remediation is to take a snapshot, copy it with encryption enabled, and restore a new DB instance from that encrypted snapshot. Other options are incorrect because you cannot directly enable encryption on an existing instance, nor can you create an encrypted read replica of an unencrypted RDS instance.