Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company runs a Node js function on a server in its on-premises data center.The data center stores data in a PostgreSQL database.The company stores the credentials in a connection string in an environment variable on the server.The company wants to migrate its application to AWS and to replace the Node.js application server with AWS Lambda.The company also wants to migrate to Amazon RDS for PostgreSQL and to ensure that the database credentials are securely managed.

Which solution will meet these requirements with the LEAST operational overhead?

Store the database credentials as a parameter in AWS Systems Manager Parameter Store Configure Parameter Store to automatically rotate the secrets every 30 days. Update the Lambda function to retrieve the credentials from the parameter.

Store the database credentials as a secret in AWS Secrets Manager. Configure Secrets Manager to automatically rotate the credentials every 30 days. Update the Lambda function to retrieve the credentials from the secret.

Store the database credentials as an encrypted Lambda environment variable. Write a custom Lambda function to rotate the credentials. Schedule the Lambda function to run every 30 days.

Store the database credentials as a key in AWS Key Management Service (AWS KMS). Configure automatic rotation for the key. Update the Lambda function to retneve the credentials from the KMS key.

Explanations:

While AWS Systems Manager Parameter Store can securely store parameters, it does not provide built-in functionality for automatic credential rotation. This would require additional operational effort to implement a custom solution for rotation.

AWS Secrets Manager is designed specifically for managing sensitive information like database credentials, and it includes built-in functionality for automatic rotation of secrets. This minimizes operational overhead, as the Lambda function can easily retrieve the credentials securely.

Although storing the credentials as an encrypted environment variable is a secure method, creating a custom Lambda function for credential rotation adds operational complexity and overhead. This solution requires additional maintenance and does not leverage built-in AWS capabilities for secret management.

AWS Key Management Service (AWS KMS) is primarily used for key management and encryption but does not store secrets or credentials directly. Additionally, KMS does not have built-in functionality for automatic rotation of secrets, requiring a more complex solution to manage credentials securely.

2025-10-09

1 Comment

  1. Amy
    Author

    I categorize that the answer is:
    Store the database credentials as a secret in AWS Secrets Manager. Configure Secrets Manager to automatically rotate the credentials every 30 days. Update the Lambda function to retrieve the credentials from the secret.

Leave a Reply

Your email address will not be published. Required fields are marked *

eighteen − six =