Question #1105
A company is developing a serverless application using AWS Lambda functions that require frequent access to an Amazon RDS PostgreSQL Multi-AZ DB instance. The company needs a secure method for the Lambda functions to connect to the database while ensuring credentials are automatically rotated every 30 days. Which solution meets these requirements?
Store the database credentials in AWS Secrets Manager. Configure Secrets Manager to rotate the credentials automatically and grant Lambda functions IAM permissions to retrieve the secrets.
Store the database credentials in AWS Systems Manager Parameter Store. Use Parameter Store's built-in rotation feature and grant Lambda functions IAM permissions to access the parameters.
Store the database credentials in an encrypted Amazon S3 bucket. Configure an S3 lifecycle policy to rotate the credentials every 30 days and grant Lambda functions access to the bucket.
Store the database credentials in environment variables encrypted with AWS KMS. Use a Lambda function to manually update the environment variables every 30 days.
Explanation
Answer A is correct because AWS Secrets Manager is designed to securely store and automatically rotate credentials for RDS databases like PostgreSQL. It integrates natively with RDS, enabling seamless rotation without custom code. Lambda functions can retrieve the latest credentials using IAM permissions, ensuring security and compliance.
Other options are incorrect because:
- B: Systems Manager Parameter Store lacks built-in rotation for RDS credentials; rotation requires custom solutions.
- C: S3 lifecycle policies cannot rotate credentials; they manage object expiration, not dynamic secret updates.
- D: Manual updates via Lambda violate the requirement for automatic rotation and are error-prone.
Key Points:
1. Secrets Manager automates RDS credential rotation.
2. IAM policies grant Lambda access to Secrets Manager.
3. Avoid storing secrets in S3 or environment variables for dynamic rotation needs.
Answer
The correct answer is: A