Logo
AWS Certified Solutions Architect - Professional / Question #938 of 529

Question #938

A company is deploying Amazon EC2 instances that access an Amazon RDS for MySQL database across development and production environments. The company must avoid storing credentials in application code and ensure automatic password rotation. Which solution meets these requirements?

A

Store the database credentials for both environments in AWS Systems Manager Parameter Store. Encrypt the credentials using AWS KMS. Within the application code, retrieve the credentials from Parameter Store using the AWS SDK. Grant the EC2 instances' IAM roles access to the Parameter Store parameters and the KMS key.
B

Store the database credentials for both environments in AWS Secrets Manager with distinct secret entries for development and production. Enable automatic rotation. Reference the Secrets Manager secret ARNs as environment variables for the EC2 instances.
C

Store the database credentials in AWS Key Management Service (AWS KMS) with separate keys for development and production. Enable key rotation. Reference the KMS key IDs as environment variables for the EC2 instances.
D

Store the credentials in separate Amazon S3 buckets for development and production. Enable server-side encryption with AWS KMS. Use bucket naming conventions to allow EC2 instances to retrieve environment-specific credentials. Grant the EC2 instances' IAM roles access to the corresponding S3 buckets.

Explanation

Answer B is correct because AWS Secrets Manager provides automatic credential rotation, which is a key requirement. By storing credentials as distinct secrets for each environment and referencing them via ARNs (not embedding credentials in code), the solution securely manages access. Secrets Manager also integrates with IAM for access control.

Option A uses Parameter Store, which lacks automatic rotation. Option C incorrectly uses KMS for credential storage (KMS manages keys, not secrets). Option D uses S3, which doesn't support automatic password rotation. Secrets Manager uniquely meets both requirements: avoiding credentials in code and enforcing rotation.

Answer

The correct answer is: B