What is most secure solution to store the master password?
Store the master password in a parameter file in each environment. Reference the environment-specific parameter file in the CloudFormation template.
Encrypt the master password using an AWS KMS key. Store the encrypted master password in the CloudFormation template.
Use the secretsmanager dynamic reference to retrieve the master password stored in AWS Secrets Manager and enable automatic rotation.
Use the ssm dynamic reference to retrieve the master password stored in the AWS Systems Manager Parameter Store and enable automatic rotation.
Explanations:
Storing the master password in a parameter file in each environment poses a security risk as the password could be exposed in version control. It doesn’t provide secure password rotation or management.
Encrypting the master password with an AWS KMS key and storing it in the CloudFormation template is not secure. Storing passwords in templates, even encrypted, can lead to accidental exposure.
Using the Secrets Manager dynamic reference to retrieve the master password allows for secure storage and automatic rotation. Secrets Manager is designed for managing sensitive data like passwords and provides built-in rotation.
Although AWS Systems Manager Parameter Store can store passwords securely, it doesn’t provide native automatic rotation for database passwords as AWS Secrets Manager does.