AWS Certified SysOps Administrator – Associate — Question 443

A compliance team requires all administrator passwords for Amazon RDS DB instances to be changed at least annually.
Which solution meets this requirement in the MOST operationally efficient manner?

Answer options

• A. Store the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.
• B. Store the database credentials as a parameter in the RDS parameter group. Create a database trigger to rotate the password every 365 days.
• C. Store the database credentials in a private Amazon S3 bucket. Schedule an AWS Lambda function to generate a new set of credentials every 365 days.
• D. Store the database credentials in AWS Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days.

Correct answer: A

Explanation

AWS Secrets Manager natively integrates with Amazon RDS to provide automatic, out-of-the-box credential rotation, making it the most operationally efficient solution. AWS Systems Manager Parameter Store does not support native rotation for RDS databases. Storing credentials in Amazon S3 or RDS parameter groups is insecure and requires complex, custom-built rotation mechanisms.