Question #605
A developer is configuring an AWS Lambda function that requires credentials to access an Amazon RDS for PostgreSQL database. The credentials are currently stored in environment variables. The developer must enhance the solution by implementing secure credential storage, automatic rotation, and seamless integration with the Lambda function while minimizing management overhead. Which approach meets these requirements?
Store the credentials in AWS Systems Manager Parameter Store. Configure the parameter to reference the RDS database. Encrypt the parameter using the default AWS KMS key. Enable scheduled rotation using a custom Lambda function. Retrieve the parameter in the Lambda function to connect to the database.
Encrypt the credentials with a customer-managed AWS KMS key. Store the encrypted credentials in Amazon S3. Create a secondary Lambda function to rotate the credentials weekly. Use an Amazon EventBridge scheduled rule to trigger rotation. Update the RDS database credentials manually. Decrypt the credentials in the primary Lambda function to access the database.
Store the credentials in AWS Secrets Manager. Set the secret type to 'Credentials for Amazon RDS database' and select the PostgreSQL instance. Encrypt the secret with the default AWS KMS key. Enable automatic rotation configured for the secret. Retrieve the secret directly in the Lambda function to connect to the database.
Encrypt the credentials using AWS KMS and store them in an Amazon ElastiCache cluster. Develop a custom rotation mechanism using a Step Function workflow triggered by Amazon EventBridge. Update the RDS database credentials and ElastiCache entries during rotation. Decrypt the credentials in the Lambda function to establish database connections.
Explanation
Option C is correct because AWS Secrets Manager provides secure storage for credentials, supports automatic rotation for RDS databases (including PostgreSQL), and integrates natively with Lambda. Secrets Manager uses the default AWS KMS key for encryption, eliminating the need for manual key management. Retrieving secrets directly in the Lambda function ensures seamless integration. Other options are incorrect because:
- A: Systems Manager Parameter Store lacks native automatic rotation for RDS credentials, requiring custom Lambda rotation logic.
- B: Storing credentials in S3 is less secure, and manual rotation increases overhead.
- D: ElastiCache is not designed for credential storage, and custom rotation workflows add complexity.
Key Points: Use Secrets Manager for RDS credential storage/rotation; avoid manual/custom solutions to reduce overhead.
Answer
The correct answer is: C