Question #1688
A company operates its databases on Amazon RDS for MySQL. The company requires a secure method to manage the master user password by automatically rotating it every 45 days. Which solution meets these requirements with the LEAST operational overhead?
Use Amazon EventBridge to schedule a custom AWS Lambda function that rotates the password every 45 days.
Use the modify-db-instance command in the AWS CLI to manually update the password periodically.
Integrate AWS Secrets Manager with Amazon RDS for MySQL to automate password rotation.
Integrate AWS Systems Manager Parameter Store with Amazon RDS for MySQL to manage password rotation.
Explanation
The correct answer is C because AWS Secrets Manager natively supports automated password rotation for Amazon RDS databases, including MySQL. Secrets Manager handles the rotation process securely, updates the password in RDS, and ensures applications automatically retrieve the updated credentials. This requires minimal setup (e.g., enabling rotation via the AWS Management Console or CLI) and eliminates the need for custom code or manual intervention.
Why other options are incorrect:
- A: While possible, using a custom Lambda function adds operational overhead (code maintenance, error handling, security).
- B: Manual password rotation violates the requirement for automation.
- D: AWS Systems Manager Parameter Store lacks native password rotation features, requiring custom implementation.
Key Points:
- Secrets Manager automates credential rotation for RDS.
- Rotation reduces security risks and operational effort.
- Always prefer managed services over custom solutions for AWS exams.
Answer
The correct answer is: C