Which solution will meet these requirements MOST securely?
Set up IAM database authentication for token-based access. Generate user tokens to provide centralized access to RDS DB instances, Amazon DocumentDB clusters, and Aurora DB instances.
Create parameters for the database credentials in AWS Systems Manager Parameter Store. Set the Type parameter to SecureString. Set up automatic rotation on the parameters.
Store the database access credentials as an encrypted Amazon S3 object in an S3 bucket. Block all public access on the S3 bucket. Use S3 server-side encryption to set up automatic rotation on the encryption key.
Create an AWS Lambda function by using the SecretsManagerRotationTemplate template in the AWS Secrets Manager console. Create secrets for the database credentials in Secrets Manager. Set up secrets rotation on a schedule.
Explanations:
IAM database authentication is a secure method for accessing databases, but it does not specifically address the requirement for storing encrypted database credentials or automatic rotation. It focuses on token-based access rather than managing credentials securely.
While using AWS Systems Manager Parameter Store with SecureString does encrypt the credentials at rest, it does not provide built-in support for automatic rotation of the credentials, which is a key requirement in this scenario.
Storing credentials as an encrypted S3 object does provide encryption at rest. However, it does not inherently offer automatic rotation of credentials, which is a significant requirement. Additionally, using S3 for sensitive data management is not the best practice compared to dedicated services.
AWS Secrets Manager is designed specifically for managing secrets, providing encryption at rest and built-in support for automatic rotation of database credentials. This option meets both the encryption and rotation requirements of the company’s security policy.