Question #1030
A company operates an application on Amazon EC2 instances that connects to an Amazon RDS MySQL database. The database credentials are currently stored in a plaintext file on each EC2 instance. The company aims to reduce the operational overhead associated with managing these credentials securely.
What should a solutions architect recommend to achieve this goal?
Use AWS Secrets Manager and enable automatic rotation for the credentials.
Use AWS Systems Manager Parameter Store and implement a custom rotation process.
Store the credentials in an Amazon S3 bucket encrypted with AWS KMS. Update the application to retrieve credentials from S3.
Encrypt the credentials file using AWS KMS and store it on an encrypted EBS volume attached to each EC2 instance.
Explanation
The correct answer is A because AWS Secrets Manager provides secure credential storage, automatic rotation, and seamless integration with RDS. This eliminates the need to manually manage credentials in plaintext files.
- Why A is correct: Secrets Manager automates credential rotation, ensuring security and reducing operational effort. It also allows applications to retrieve credentials programmatically via API calls.
- Why B is incorrect: While Parameter Store can store secrets, it lacks built-in rotation for RDS credentials, requiring a custom solution that increases overhead.
- Why C is incorrect: Storing credentials in S3 shifts the problem rather than solving it, as access policies and retrieval logic must still be managed.
- Why D is incorrect: Encrypting files on EBS adds security but does not address credential rotation or centralized management, leaving operational overhead.
Key Points: Secrets Manager automates lifecycle management of credentials, integrates with AWS services, and reduces manual tasks. Always prioritize services that offer built-in automation for security best practices.
Answer
The correct answer is: A