Question #692
A company runs an application on Amazon EC2 instances that connect to a PostgreSQL database hosted on Amazon RDS. The security team mandates that the database password must be automatically rotated every 45 days. Which solution MOST securely meets this requirement?
Store the database credentials in the EC2 instance user data. Use a cron job to update the credentials every 45 days.
Store the database credentials in AWS Secrets Manager. Configure a 45-day rotation schedule using an AWS Lambda rotation function.
Store the database credentials in AWS Systems Manager Parameter Store as secure strings. Set a 45-day expiration policy for the parameters.
Encrypt the database credentials using AWS KMS customer-managed keys (CMK). Rotate the KMS key every 45 days and update the credentials manually.
Explanation
Option B is correct because AWS Secrets Manager is designed to manage and rotate secrets securely. It integrates with Lambda functions to automatically update database credentials and synchronize the change across all services using the secret. This ensures the password is rotated every 45 days without manual processes.
Other options are incorrect because:
- A: Storing credentials in EC2 user data is insecure (plaintext) and cron jobs lack secure rotation mechanisms.
- C: Parameter Store's expiration policy only flags secrets as expired but does not auto-rotate them.
- D: Rotating KMS keys does not change the database password; manual updates are still required.
Key Points: Use Secrets Manager for automated, secure credential rotation; avoid storing secrets in user data or relying on expiration policies without rotation logic.
Answer
The correct answer is: B