Question #964
A company is deploying a new serverless application using AWS Lambda that needs to connect to an Amazon RDS for MySQL database. The security team mandates that the application must not use long-term database credentials to ensure enhanced security.
Which solution satisfies these requirements?
Enable IAM database authentication on the RDS MySQL instance. Create an IAM role with the necessary permissions and attach it to the Lambda function.
Store the MySQL credentials in AWS Secrets Manager. Create an IAM role that allows the Lambda function to retrieve the secrets and use them to connect.
Configure the MySQL credentials as environment variables encrypted with AWS KMS within the Lambda function.
Use AWS Systems Manager Parameter Store to store the credentials. Grant the Lambda function's execution role access to retrieve the parameters.
Explanation
Answer A is correct because enabling IAM database authentication for RDS MySQL allows the Lambda function to use short-lived, temporary credentials generated via its attached IAM role. This method avoids storing any long-term database credentials, aligning with the security mandate.
Options B, C, and D are incorrect because they involve storing database credentials (even if encrypted or managed by services like Secrets Manager or Parameter Store). These credentials are still considered long-term, as they remain valid until manually rotated or revoked. IAM database authentication (A) ensures credentials are dynamically generated and expire after 15 minutes, enhancing security by eliminating static secrets.
Answer
The correct answer is: A