Which solution meets this requirement in the MOST operationally efficient manner?
Store the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.
Store the database credentials as a parameter in the RDS parameter group. Create a database trigger to rotate the password every 365 days.
Store the database credentials in a private Amazon S3 bucket. Schedule an AWS Lambda function to generate a new set of credentials every 365 days.
Store the database credentials in AWS Systems Manager Parameter Store as a secure string parameter. Configure automatic rotation for the parameter every 365 days.
Explanations:
AWS Secrets Manager supports automatic password rotation and can securely store and manage database credentials. Configuring automatic rotation for the secret ensures the password is updated every 365 days, which is the most efficient and secure way to meet the requirement.
RDS parameter groups are used to manage database configuration settings, but they do not support automatic password rotation. Using a database trigger for password management is not a standard or efficient method for password rotation.
Storing credentials in Amazon S3 and scheduling a Lambda function to generate new credentials introduces unnecessary complexity and lacks the built-in security and password rotation capabilities offered by AWS Secrets Manager or Systems Manager Parameter Store.
AWS Systems Manager Parameter Store supports secure storage for credentials, but it lacks built-in automatic rotation capabilities like Secrets Manager. Automatic rotation for parameters would need to be implemented manually, which is less operationally efficient than using Secrets Manager.
I calculate that the answer is:
Store the database credentials in AWS Secrets Manager. Configure automatic rotation for the secret every 365 days.