Which solution will meet these requirements?
Enable IAM database authentication on the RDS for MySQL DB instance. Create an IAM role that has the minimum required permissions. Assign the role to the application.
Store the MySQL credentials as secrets in AWS Secrets Manager. Create an IAM role that has the minimum required permissions to retrieve the secrets. Assign the role to the application.
Configure the MySQL credentials as environment variables that are available at runtime for the application.
Store the MySQL credentials as SecureString parameters in AWS Systems Manager Parameter Store. Create an IAM role that has the minimum required permissions to retrieve the parameters. Assign the role to the application.
Explanations:
Enabling IAM database authentication allows the application to connect to the RDS for MySQL database using temporary credentials issued by AWS. This eliminates the need for long-term credentials, as IAM roles can assume temporary permissions to access the database securely.
While storing MySQL credentials in AWS Secrets Manager is a good practice for managing sensitive information, this option does not meet the requirement of avoiding long-term credentials if the application still needs to use those credentials to authenticate to the database.
Storing MySQL credentials as environment variables could lead to long-term credentials being exposed or mismanaged, which violates the requirement for avoiding long-term credentials. Environment variables can also be less secure compared to using IAM roles or AWS services designed for credential management.
Although storing MySQL credentials as SecureString parameters in AWS Systems Manager Parameter Store is a secure option, this approach still requires the application to retrieve and use long-term credentials to authenticate to the database, thus not fully meeting the requirement of avoiding long-term credentials.