Question #566
A company needs to securely manage a database password used by their application. The solution must ensure the password is stored securely and retrieved at runtime without impacting application performance. Which option meets these requirements MOST securely?
Store the database password in AWS Secrets Manager. Retrieve the password at runtime using the AWS SDK. Use the password to establish the database connection.
Store the database password in an environment variable within the application code. Commit the code to a private Git repository. Use the environment variable at runtime to connect to the database.
Store the database password in a configuration file within a private Amazon S3 bucket. Restrict access via IAM policies. Retrieve the file at runtime using the AWS SDK and extract the password to connect to the database.
Store the database password in an encrypted field in an Amazon RDS database. Restrict access using security group rules. Retrieve the password at runtime via a SQL query and use it to connect to the target database.
Explanation
Answer A is correct because AWS Secrets Manager is purpose-built for securely storing secrets like database passwords. It encrypts secrets by default, enables automatic rotation, and allows applications to retrieve credentials programmatically via the AWS SDK at runtime, ensuring minimal latency.
Option B is insecure because environment variables can leak through logs or debugging tools, and storing secrets in code repositories (even private) violates security best practices. Option C introduces unnecessary complexity and latency by requiring S3 file retrieval and manual decryption. Option D is flawed because storing the password in the same RDS database it protects creates a circular dependency, and SQL queries for password retrieval pose security risks. Secrets Manager centralizes security, simplifies access management via IAM, and optimizes performance, making it the most secure and efficient choice.
Answer
The correct answer is: A