Question #827
A company needs to securely store database credentials used by an application and ensure the credentials are automatically rotated every quarter. Which solution meets these requirements MOST securely?
Use AWS KMS to encrypt the credentials in a configuration file. Decrypt the credentials when the application accesses the database. Enable KMS key rotation.
Retrieve temporary credentials from AWS STS every hour. Use the temporary credentials for database access.
Store the credentials in AWS Secrets Manager and enable rotation. Configure the application to retrieve credentials from Secrets Manager.
Store the credentials in AWS Systems Manager Parameter Store with rotation enabled using a custom Lambda function. Retrieve the credentials during database access.
Explanation
Option C is correct because AWS Secrets Manager is specifically designed to securely store secrets like database credentials and automate their rotation on a defined schedule (e.g., every quarter). The application retrieves the latest credentials directly from Secrets Manager, ensuring secure access without manual intervention.
- Option A uses KMS encryption but does not rotate the actual credentials; KMS key rotation only updates the encryption key, not the secret itself.
- Option B relies on temporary STS credentials, which are short-lived (max 1 hour) and unsuitable for quarterly rotation or databases requiring static credentials.
- Option D requires custom Lambda functions for rotation in Parameter Store, which is less secure and more error-prone than Secrets Manager's native rotation.
Key Points: Secrets Manager automates credential rotation, integrates with RDS, and ensures secure retrieval. Use it for secrets requiring periodic rotation without manual overhead.
Answer
The correct answer is: C