Question #596
A company needs to securely store database credentials that must be accessed by automation scripts running in Amazon EC2 instances and referenced within AWS CloudFormation templates. The solution should be cost-effective while ensuring the credentials are encrypted at rest.
Which option meets these requirements with the LEAST operational overhead?
Utilize AWS Systems Manager Parameter Store SecureString parameters.
Store the credentials in an encrypted Amazon S3 bucket with a specific object tag.
Use AWS Secrets Manager with a resource-based policy allowing access from EC2 and CloudFormation.
Pass the credentials using CloudFormation's NoEcho parameter type.
Explanation
Option C is correct because AWS Systems Manager (SSM) Parameter Store's SecureString parameters encrypt data using AWS KMS, ensuring encryption at rest. They are natively accessible by EC2 instances via IAM roles and can be referenced directly in CloudFormation templates, reducing operational complexity. Parameter Store is cost-effective, with no additional charges for standard parameters (SecureString incurs minimal KMS costs).
Other options:
- A: Storing credentials in S3 requires managing bucket policies, IAM permissions, and object versioning, increasing operational overhead.
- B: Secrets Manager is more expensive than Parameter Store and is overkill for static credentials.
- D: CloudFormation's NoEcho masks credentials but stores them in plaintext, failing encryption requirements.
Key Points: Use SSM Parameter Store SecureString for encrypted, low-cost secrets management integrated with AWS services.
Answer
The correct answer is: C