Question #788
A developer is configuring an Amazon EC2 instance that requires access to an Amazon Aurora PostgreSQL database. The developer needs to securely store the database credentials and ensure the database password is automatically rotated every 30 days. Which approach satisfies these requirements?
Store the database credentials in the EC2 instance user data. Configure an AWS Lambda function to rotate the credentials and update the user data.
Store the database credentials in AWS Secrets Manager. Enable rotation for the secret using an AWS-provided rotation template.
Store the database credentials in AWS Systems Manager Parameter Store as SecureString parameters. Create an EventBridge rule to trigger rotation via a custom Lambda function.
Store the database credentials in an Amazon S3 bucket with server-side encryption. Use AWS Config to enforce periodic credential rotation.
Explanation
Answer B is correct because AWS Secrets Manager is designed for secure credential storage and offers automatic rotation via AWS-provided templates, including support for Amazon Aurora PostgreSQL. This eliminates manual intervention and ensures compliance with the 30-day rotation policy.
Why other options are incorrect:
- A: EC2 user data is not secure for credentials (stored in plaintext/base64) and lacks native rotation capabilities.
- C: Systems Manager Parameter Store (SecureString) lacks built-in rotation; custom Lambda/EventBridge setups add complexity.
- D: S3 is not designed for secret management, and AWS Config does not handle credential rotation.
Key Points:
1. Use Secrets Manager for secure credential storage and automated rotation.
2. AWS-provided rotation templates simplify RDS/Aurora credential management.
3. Avoid storing secrets in user data, Parameter Store, or S3 for this use case.
Answer
The correct answer is: B