Which combination of steps should the developer take to provide database access to the container in the MOST secure manner?
(Choose two.)
Define a database secret in AWS Secrets Manager. Provide the credentials to the container by using the task definition.
Define a password in AWS CloudFormation. Pass the password into the environment variables of the container.
Enable IAM authentication for the database. Grant the appropriate permissions to the container.
Use an Amazon Cognito identity pool to authenticate the container. Use the provided response token to connect to the database.
Define an AWS Key Management Service (AWS KMS) key that encrypts the contents of the database. Grant permission to decrypt to the container.
Explanations:
Defining a database secret in AWS Secrets Manager allows for securely storing database credentials. The credentials can then be provided to the ECS container using task definition environment variables, ensuring the credentials are not hardcoded and are securely managed.
Storing passwords directly in environment variables via AWS CloudFormation is not secure. This method exposes sensitive data in plain text and does not provide the level of security needed for managing database credentials.
Enabling IAM authentication for the RDS database allows the ECS container to authenticate securely using IAM roles and policies. The container can be granted permissions through the task role in the ECS task definition. This removes the need for traditional username/password authentication.
Amazon Cognito is used for managing user authentication for applications, not for database authentication. It is not designed to provide access to Amazon RDS databases, and using it would not be appropriate for secure database access.
AWS KMS is used for encryption and decryption of data, not for managing database credentials. While KMS is useful for encrypting data at rest, it does not provide a direct method for granting a container access to the database.