Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company is developing a two-tier web application on AWS.The company’s developers have deployed the application on an Amazon EC2 instance that connects directly to a backend Amazon RDS database.The company must not hardcode database credentials in the application.The company must also implement a solution to automatically rotate the database credentials on a regular basis.

Which solution will meet these requirements with the LEAST operational overhead?

Store the database credentials in the instance metadata. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time.

Store the database credentials in a configuration file in an encrypted Amazon S3 bucket. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. Use S3 Versioning to ensure the ability to fall back to previous values.

Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret.

Store the database credentials as encrypted parameters in AWS Systems Manager Parameter Store. Turn on automatic rotation for the encrypted parameters. Attach the required permission to the EC2 role to grant access to the encrypted parameters.

Explanations:

Storing database credentials in instance metadata is not secure as metadata can be accessed by anyone with access to the instance. Additionally, using a Lambda function with EventBridge adds unnecessary operational overhead since it requires managing the Lambda function and the scheduling, making this approach less efficient.

Although using an S3 bucket with encrypted configuration files adds a layer of security, it still requires managing a Lambda function and handling S3 Versioning. This adds complexity and operational overhead. Moreover, storing credentials in S3 could expose them if not properly secured.

AWS Secrets Manager is designed specifically for managing sensitive information such as database credentials. It provides built-in support for automatic rotation of credentials and simplifies access management with IAM roles. This approach has the least operational overhead, as it requires minimal management after setup.

While AWS Systems Manager Parameter Store can securely store parameters, it requires additional management to implement automatic rotation, which is not as straightforward as using Secrets Manager. This adds operational overhead compared to option C, which directly supports credential rotation.

2025-10-21

1 Comment

  1. Harold
    Author

    I assess that the answer is:
    Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 2 =