What is the MOST operationally efficient solution to meet these requirements?
Save the password in an Amazon S3 object. Encrypt the S3 object with an AWS KMS key. Set the KMS key to be rotated every 30 days by setting the EnableKeyRotation property to true. Use a CloudFormation custom resource to read the S3 object to extract the password.
Create an AWS Lambda function to rotate the secret. Modify the CloudFormation template to add an AWS::SecretsManager::RotationSchedule resource. Configure the RotationLambdaARN value and, for the RotationRules property, set the AutomaticallyAfterDays parameter to 30.
Modify the CloudFormation template to use the AWS KMS key as the database password. Configure an Amazon EventBridge rule to invoke the KMS API to rotate the key every 30 days by setting the ScheduleExpression parameter to ***/30***.
Integrate the Amazon RDS for MySQL DB instances with AWS IAM and centrally manage the master database user password.
Explanations:
Saving the password in an S3 object and using a KMS key for encryption does not automatically rotate the password. Additionally, using a CloudFormation custom resource to read the password adds unnecessary complexity and operational overhead.
This option effectively uses AWS Secrets Manager to handle the password rotation. By creating an AWS Lambda function and adding a RotationSchedule resource in the CloudFormation template, the password can be automatically rotated every 30 days, meeting the security requirements efficiently.
Using an AWS KMS key as the database password is not a valid approach, as KMS keys are used for encryption rather than as passwords. Moreover, invoking the KMS API does not facilitate automatic password rotation for RDS instances.
While integrating RDS with AWS IAM can enhance security, it does not address the specific requirement for automatic password rotation. IAM-based authentication does not automatically manage or rotate the database master user password.