Logo
AWS Certified Solutions Architect - Professional / Question #555 of 529

Question #555

A solutions architect is designing a new version of an application that currently hardcodes credentials for an Amazon RDS for PostgreSQL database. The security team mandates the following enhancements:

- Credentials must be stored securely using an AWS managed service without hardcoding.
- Deployment must be automated through AWS CloudFormation.
- Database credentials must be automatically rotated every 90 days.

Which combination of resources in the CloudFormation template will meet these requirements with the LEAST operational effort?

A

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
B

Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
C

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
D

Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS Step Functions state machine resource to orchestrate password rotation every 90 days.

Explanation

The correct answer is A because:
1. AWS Secrets Manager securely stores credentials (eliminating hardcoding) and provides native support for automatic rotation via its RotationSchedule resource in CloudFormation.
2. Option B/D use Parameter Store, which lacks built-in rotation, requiring custom Lambda/Step Functions and manual scheduling (higher effort).
3. Option C uses EventBridge for scheduling, which is redundant since Secrets Manager's RotationSchedule handles scheduling natively.

Key Points:
- Secrets Manager integrates with RDS and automates rotation via Lambda.
- CloudFormation's AWS::SecretsManager::RotationSchedule resource simplifies rotation configuration.
- Parameter Store (SecureString) requires custom rotation logic, increasing operational overhead.

Answer

The correct answer is: A