AWS Certified SysOps Administrator – Associate — Question 233

A SysOps administrator needs to secure the credentials for an Amazon RDS database that is created by an AWS CloudFormation template. The solution must encrypt the credentials and must support automatic rotation.

Which solution will meet these requirements?

Answer options

• A. Create an AWS::SecretsManager::Secret resource in the CloudF ormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.
• B. Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm-secure dynamic reference.
• C. Create an AWS::SSM::Parameter resource in he CloudFormation template. Reference the credentias in the AWS::RDS::DBInstance resource by using the resolve:ssm dynamic reference.
• D. Create parameters for the database credentials in the CloudFormation template. Use the Ref intrinsic function to provide the credentials to the AWS::RDS::DBInstance resource.

Correct answer: A

Explanation

Option A is correct because AWS Secrets Manager is designed for managing and rotating credentials securely. Options B and C do not provide the required automatic rotation feature, and option D does not encrypt the credentials, as it relies on parameters without the security features offered by Secrets Manager.