Which steps should a Database Specialist take to meet these requirements using an AWS CloudFormation template?
Create the database with the MasterUserName and MasterUserPassword properties set to the default values. Then, create the secret with the user name and password set to the same default values. Add a Secret Target Attachment resource with the SecretId and TargetId properties set to the Amazon Resource Names (ARNs) of the secret and the database. Finally, update the secret’s password value with a randomly generated string set by the GenerateSecretString property.
Add a Mapping property from the database Amazon Resource Name (ARN) to the secret ARN. Then, create the secret with a chosen user name and a randomly generated password set by the GenerateSecretString property. Add the database with the MasterUserName and MasterUserPassword properties set to the user name of the secret.
Add a resource of type AWS::SecretsManager::Secret and specify the GenerateSecretString property. Then, define the database user name in the SecureStringTemplate template. Create a resource for the database and reference the secret string for the MasterUserName and MasterUserPassword properties. Then, add a resource of type AWS::SecretsManagerSecretTargetAttachment with the SecretId and TargetId properties set to the Amazon Resource Names (ARNs) of the secret and the database.
Create the secret with a chosen user name and a randomly generated password set by the GenerateSecretString property. Add an SecretTargetAttachment resource with the SecretId property set to the Amazon Resource Name (ARN) of the secret and the TargetId property set to a parameter value matching the desired database ARN. Then, create a database with the MasterUserName and MasterUserPassword properties set to the previously created values in the secret.
Explanations:
The use of default values for MasterUserName and MasterUserPassword in the database is not secure. The credentials must be random and securely stored. Additionally, the SecretTargetAttachment resource is incorrectly placed, and it’s not a proper practice to link the secret and database with default values.
The approach of linking a secret with a pre-chosen user name and a randomly generated password using the GenerateSecretString property is partially correct, but referencing a specific username for the database is not ideal. The database should use the random credentials from the secret directly, not from the secret’s static username.
This option correctly uses AWS Secrets Manager for securely storing a randomly generated password via the GenerateSecretString property. The database credentials are referenced from the secret, ensuring proper security. It also includes the appropriate SecretTargetAttachment to securely link the secret to the database.
While the creation of a secret with a randomly generated password is correct, the use of a static user name in the database with MasterUserName and MasterUserPassword directly referencing the secret is not ideal. The password should be dynamically linked and properly secured through AWS Secrets Manager’s integration.
I have a feeling that the answer is:
Add a resource of type AWS::SecretsManager::Secret and specify the GenerateSecretString property. Then, define the database user name in the SecureStringTemplate template. Create a resource for the database and reference the secret string for the MasterUserName and MasterUserPassword properties. Then, add a resource of type AWS::SecretsManagerSecretTargetAttachment with the SecretId and TargetId properties set to the Amazon Resource Names (ARNs) of the secret and the database.