How should the developer configure the database credentials for this application?
Create a database user. Store the user name and password in an AWS Systems Manager Parameter Store secure string parameter. Enable rotation of the AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter.
Enable IAM authentication for the database. Create a database user for use with IAM authentication. Enable password rotation.
Create a database user. Store the user name and password in an AWS Secrets Manager secret that has daily rotation enabled.
Use the EC2 user data to create a database user. Provide the user name and password in environment variables to the application.
Explanations:
While using AWS Systems Manager Parameter Store to store the database credentials is a valid approach, it does not inherently provide automatic credential rotation. The developer would need to implement a custom solution for rotating the credentials manually or through additional services.
IAM authentication allows users to connect to the database without using traditional credentials, but it does not automatically manage or rotate database user passwords. It requires that the developer set up IAM policies and roles, which might not meet the requirement of weekly credential rotation.
AWS Secrets Manager is designed for securely storing, managing, and automatically rotating database credentials. By creating a secret in Secrets Manager with daily rotation enabled, the application can access the updated credentials seamlessly, meeting the company’s requirement for weekly rotation.
Using EC2 user data to create a database user and providing the credentials through environment variables is not a secure practice. It exposes sensitive information and does not facilitate automated credential rotation, failing to meet the company’s security requirement.
In my opinion, the answer is:
Create a database user. Store the user name and password in an AWS Secrets Manager secret that has daily rotation enabled.