Question #680
A company must deploy all its Amazon Aurora DB clusters using AWS CloudFormation templates within an AWS CodePipeline CI/CD workflow. The master password for each DB cluster must be automatically generated during deployment with the LEAST development effort.
Which solution will meet these requirements?
Create an AWS Lambda-backed CloudFormation custom resource. Write Lambda code to generate a secure password using AWS KMS. Return the password via the custom resource response. Use Fn::GetAtt to retrieve the password and apply it to the Aurora DB cluster resource.
Add an AWS CodeBuild step in CodePipeline to execute a script that generates a random password using OpenSSL. Pass the password as a CloudFormation parameter with NoEcho enabled. Reference the parameter in the Aurora DB cluster resource.
Create an AWS Lambda-backed custom resource to generate a secure password. Store the password in AWS Secrets Manager using a SecretsManager::Secret resource. Use a secretsmanager dynamic reference in the Aurora DB cluster resource to retrieve the password.
Use the AWS::SecretsManager::Secret resource to generate and store a secure password. Reference the password directly in the Aurora DB cluster resource using the secretsmanager dynamic reference syntax.
Explanation
The correct answer is D because:
1. AWS::SecretsManager::Secret natively supports password generation via the GenerateSecretString property, eliminating the need for custom Lambda code (unlike A/C).
2. Dynamic references (e.g., {{resolve:secretsmanager:secret-id:SecretString:password}}) securely retrieve the password without exposing it in templates/logs, unlike passing parameters (B).
3. Least effort: No additional Lambda/CodeBuild steps are required (A/B/C), as SecretsManager handles password generation and storage natively.
Other options are incorrect because:
- A/C: Require custom Lambda code, increasing development effort.
- B: Passwords in parameters are insecure and visible in logs.
- B/C: Extra pipeline steps (CodeBuild/Lambda) add complexity.
Key Points: Use AWS::SecretsManager::Secret with GenerateSecretString and dynamic references for secure, low-effort password management in CloudFormation.
Answer
The correct answer is: D