AWS Certified SysOps Administrator – Associate — Question 460

A SysOps administrator is designing a solution for an Amazon RDS for PostgreSQL DB instance. Database credentials must be stored and rotated monthly. The applications that connect to the DB instance send write-intensive traffic with variable client connections that sometimes increase significantly in a short period of time.
Which solution should a SysOps administrator choose to meet these requirements?

Answer options

• A. Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS Proxy to handle the increases in database connections.
• B. Configure AWS Key Management Service (AWS KMS) to automatically rotate the keys for the DB instance. Use RDS read replicas to handle the increases in database connections.
• C. Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS Proxy to handle the increases in database connections.
• D. Configure AWS Secrets Manager to automatically rotate the credentials for the DB instance. Use RDS read replicas to handle the increases in database connections.

Correct answer: C

Explanation

AWS Secrets Manager is the correct service for storing and automatically rotating database credentials, whereas AWS KMS only manages encryption keys and cannot rotate database user credentials. To manage sudden spikes in write-intensive client connections, RDS Proxy acts as an intermediary connection pooler to prevent the database from running out of memory or connections. RDS read replicas are incorrect because they only offload read traffic and cannot handle write-intensive connection spikes.