What should a solutions architect do to meet this requirement with the LEAST operational effort?
Create a new AWS Key Management Service (AWS KMS) encryption key. Use AWS Secrets Manager to create a new secret that uses the KMS key with the appropriate credentials. Associate the secret with the Aurora DB cluster. Configure a custom rotation period of 14 days.
Create two parameters in AWS Systems Manager Parameter Store: one for the user name as a string parameter and one that uses the SecureString type for the password. Select AWS Key Management Service (AWS KMS) encryption for the password parameter, and load these parameters in the application tier. Implement an AWS Lambda function that rotates the password every 14 days.
Store a file that contains the credentials in an AWS Key Management Service (AWS KMS) encrypted Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system in all EC2 instances of the application tier. Restrict the access to the file on the file system so that the application can read the file and that only super users can modify the file. Implement an AWS Lambda function that rotates the key in Aurora every 14 days and writes new credentials into the file.
Store a file that contains the credentials in an AWS Key Management Service (AWS KMS) encrypted Amazon S3 bucket that the application uses to load the credentials. Download the file to the application regularly to ensure that the correct credentials are used. Implement an AWS Lambda function that rotates the Aurora credentials every 14 days and uploads these credentials to the file in the S3 bucket.
Explanations:
AWS Secrets Manager provides built-in functionality for managing secrets, including automated rotation of credentials. Using a custom rotation period of 14 days directly meets the requirement for rotating database credentials with minimal operational effort.
While using AWS Systems Manager Parameter Store with a Lambda function for rotation could work, it involves more operational complexity compared to AWS Secrets Manager. The need to manage two separate parameters and implement custom rotation logic increases the workload unnecessarily.
Storing credentials in an EFS file adds unnecessary complexity, including managing file access and mounting on EC2 instances. Additionally, implementing a Lambda function for rotation increases operational overhead, which goes against the requirement for minimal effort.
Using an S3 bucket for storing credentials requires regular downloads by the application, which introduces complexity and potential security risks. This approach also necessitates implementing Lambda for credential rotation, making it more operationally intensive than using