Logo
AWS Certified Developer – Associate / Question #776 of 557

Question #776

A company's existing application uses hard-coded database credentials. A developer must modify the app, which is deployed across two AWS Regions with an active-passive configuration for disaster recovery. The solution must store credentials outside the code and comply with the disaster recovery strategy.

Which solution is MOST secure?

A

Store the credentials in AWS Secrets Manager in the primary Region. Enable secret replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.
B

Store credentials in AWS Systems Manager Parameter Store in the primary Region. Enable parameter replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.
C

Store credentials in a config file. Upload the config file to an S3 bucket in the primary Region. Enable Cross-Region Replication (CRR) to an S3 bucket in the secondary Region. Update the application to access the config file from the S3 bucket, based on the Region.
D

Store credentials in a config file. Upload the config file to an Amazon Elastic File System (Amazon EFS) file system. Update the application to use the Amazon EFS file system Regional endpoints to access the config file in the primary and secondary Regions.

Explanation

Answer A is correct because AWS Secrets Manager is designed for secure credential storage, offering automatic encryption, IAM-based access policies, and built-in cross-Region replication. This ensures credentials are available in both Regions for the active-passive setup. The application can dynamically retrieve the secret using the Region-specific ARN, ensuring seamless failover.

Option B is less ideal because Systems Manager Parameter Store lacks native secret rotation and has limited replication automation compared to Secrets Manager. Option C uses S3, which is less secure for secrets due to potential misconfigurations and lacks native secret management features. Option D relies on EFS, which is region-bound and requires manual replication, failing to meet DR requirements. Secrets Manager's replication, encryption, and access control make it the most secure and compliant choice.

Answer

The correct answer is: A