What is the MOST operationally efficient solution that meets these requirements?
Use an AWS Lambda function as a CloudFormation custom resource to generate and rotate the password.
Use an AWS Systems Manager Parameter Store resource with the SecureString data type to generate and rotate the password.
Use a cron daemon on the application’s host to generate and rotate the password.
Use an AWS Secrets Manager resource to generate and rotate the password.
Explanations:
Using an AWS Lambda function as a CloudFormation custom resource can generate and rotate the password, but it requires more operational overhead for managing the Lambda function and handling custom resource updates. It is less efficient compared to built-in AWS services designed for this purpose.
AWS Systems Manager Parameter Store with SecureString can store sensitive data like passwords, but it does not natively support automatic password rotation without additional scripting or automation, making it less efficient than using a dedicated service.
A cron daemon on the application’s host to generate and rotate the password introduces unnecessary complexity and operational burden, as it requires managing an additional process and ensuring it runs reliably, which is not efficient compared to AWS managed services.
AWS Secrets Manager is specifically designed to manage secrets such as database passwords. It supports automatic password generation and rotation, and it integrates seamlessly with RDS, minimizing operational overhead while providing secure and efficient management of sensitive information.
I reckon the answer is:
Use an AWS Secrets Manager resource to generate and rotate the password.