Question #859
A company operates a serverless data analytics application on AWS. The application uses an AWS Lambda function to process and load data into an Amazon Redshift cluster. The Lambda function accesses the Redshift cluster using a set of database credentials. A developer needs to manage these credentials securely using AWS Secrets Manager and ensure the password is rotated regularly without causing downtime or disruption to the data loading process.
What should the developer implement to meet these requirements?
Configure Secrets Manager rotation with the single user strategy, updating the credentials directly in Redshift.
Configure Secrets Manager rotation with the alternating users strategy, maintaining two separate credentials in Redshift.
Enable automatic rotation using the single user strategy and update the Lambda function's environment variables manually.
Enable automatic rotation using the alternating users strategy and ensure the Lambda function references the Secrets Manager secret.
Explanation
Answer D is correct because:
1. Alternating Users Strategy: Secrets Manager creates two users (e.g., UserA and UserB). During rotation, it updates the inactive user's password, tests it, then switches the active user. This ensures at least one valid credential is always available, preventing downtime.
2. Lambda References Secrets Manager Secret: By having Lambda retrieve credentials directly from Secrets Manager (instead of hardcoding), it always uses the latest secret without manual updates.
Why other options are incorrect:
- A: Single user strategy risks downtime during rotation, as the password changes and Lambda may temporarily lose access.
- B: Maintaining two credentials manually in Redshift is unnecessary; Secrets Manager handles this automatically.
- C: Manually updating Lambda's environment variables is error-prone and defeats the purpose of automated rotation.
Key Points:
- Use Secrets Manager's alternating users strategy for zero-downtime rotation.
- Lambda should reference the secret directly to avoid hardcoding credentials.
Answer
The correct answer is: D