AWS Certified Developer – Associate / Question #680 of 557

Question #680

A company must deploy all its Amazon Aurora DB clusters using AWS CloudFormation templates within an AWS CodePipeline CI/CD workflow. The master password for each DB cluster must be automatically generated during deployment with the LEAST development effort.

Which solution will meet these requirements?

A

Create an AWS Lambda-backed CloudFormation custom resource. Write Lambda code to generate a secure password using AWS KMS. Return the password via the custom resource response. Use Fn::GetAtt to retrieve the password and apply it to the Aurora DB cluster resource.

B

Add an AWS CodeBuild step in CodePipeline to execute a script that generates a random password using OpenSSL. Pass the password as a CloudFormation parameter with NoEcho enabled. Reference the parameter in the Aurora DB cluster resource.

C

Create an AWS Lambda-backed custom resource to generate a secure password. Store the password in AWS Secrets Manager using a SecretsManager::Secret resource. Use a secretsmanager dynamic reference in the Aurora DB cluster resource to retrieve the password.

D

Use the AWS::SecretsManager::Secret resource to generate and store a secure password. Reference the password directly in the Aurora DB cluster resource using the secretsmanager dynamic reference syntax.

Explanation

The correct answer is D because:
1. AWS::SecretsManager::Secret natively supports password generation via the GenerateSecretString property, eliminating the need for custom Lambda code (unlike A/C).
2. Dynamic references (e.g., {{resolve:secretsmanager:secret-id:SecretString:password}}) securely retrieve the password without exposing it in templates/logs, unlike passing parameters (B).
3. Least effort: No additional Lambda/CodeBuild steps are required (A/B/C), as SecretsManager handles password generation and storage natively.

Other options are incorrect because:
- A/C: Require custom Lambda code, increasing development effort.
- B: Passwords in parameters are insecure and visible in logs.
- B/C: Extra pipeline steps (CodeBuild/Lambda) add complexity.

Key Points: Use AWS::SecretsManager::Secret with GenerateSecretString and dynamic references for secure, low-effort password management in CloudFormation.

Answer

The correct answer is: D