How can the solutions architect MOST securely manage the configuration of the application’s database credentials?
Provide the database password as a parameter in the CloudFormation template. Create an initialization script in the Auto Scaling group’s launch configuration UserData property to reference the password parameter using the Ref intrinsic function. Store the password on the EC2 instances. Reference the parameter for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using the Ref intrinsic function.
Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Configure the application to retrieve the password from Secrets Manager when needed. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using a dynamic reference.
Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Create an initialization script in the Auto Scaling group’s launch configuration UserData property to reference the secret resource using the Ref intrinsic function. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using the Ref intrinsic function.
Create a new AWS Systems Manager Parameter Store parameter in the CloudFormation template to be used as the database password. Create an initialization script in the Auto Scaling group’s launch configuration UserData property to reference the parameter. Reference the parameter for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using the Fn::GetAtt intrinsic function.
Explanations:
Storing the database password directly on EC2 instances is not secure. Additionally, passing sensitive information as parameters in the CloudFormation template can expose credentials in logs and the AWS Management Console. This approach does not leverage AWS’s security best practices for managing sensitive data.
Using AWS Secrets Manager allows for secure management and rotation of the database password without hardcoding it in the template. The application can retrieve the password dynamically at runtime, enhancing security by not exposing the password in logs or source code. This method follows AWS best practices for handling sensitive data.
Although using Secrets Manager is a secure approach, referencing the secret in the UserData property using the Ref function is not advisable as it would expose the secret during instance launch. The secret should be retrieved by the application at runtime instead. Therefore, this option compromises the security benefits of using Secrets Manager.
While AWS Systems Manager Parameter Store can be used to store sensitive information, it is not as secure as Secrets Manager for managing database passwords. Additionally, the use of UserData scripts to retrieve parameters can expose sensitive information in logs during instance launch. Secrets Manager is specifically designed for such use cases, providing built-in support for password rotation and access control.
I conclude that the answer is:
Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Configure the application to retrieve the password from Secrets Manager when needed. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using a dynamic reference.