Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3.For the next version of the application, the security engineer wants to implement the following application design changes to improve security:The database must use strong, randomly generated passwords stored in a secure AWS managed service.The application resources must be deployed through AWS CloudFormation.The application must rotate credentials for the database every 90 days.A solutions architect will generate a CloudFormation template to deploy the application.

Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.

Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.

Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.

Explanations:

AWS Secrets Manager is designed for managing sensitive information such as database credentials and provides automatic rotation capabilities with minimal overhead. The Secrets Manager RotationSchedule resource directly supports credential rotation, including setting the schedule to rotate the database password every 90 days.

While AWS Systems Manager Parameter Store can securely store the password, it does not have built-in support for automatic credential rotation like Secrets Manager. A custom Lambda function is required, but the operational overhead is higher as Parameter Store does not offer an integrated RotationSchedule resource.

AWS Secrets Manager supports automatic credential rotation, but using Amazon EventBridge to trigger a Lambda function for rotation introduces unnecessary complexity. Secrets Manager has native support for configuring the rotation schedule directly without needing an additional EventBridge rule.

AWS Systems Manager Parameter Store lacks integrated automatic password rotation. While it could store the password securely, AWS AppSync DataSource is not intended for password rotation and does not fulfill the requirements for automatic rotation. A Lambda function would be needed, adding more operational overhead.

2025-10-12

1 Comment

  1. Liam
    Author

    I conclude that the answer is:
    Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − four =