What is the MOST cost-effective way to manage the storage of credentials?
Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.
Use AWS Key Management System to store a master key, which is used to encrypt the credentials. The encrypted credentials are stored in an Amazon RDS instance.
Use AWS Secrets Manager to store the credentials.
Store the credentials in a JSON file on Amazon S3 with server-side encryption.
Explanations:
AWS Systems Manager Parameter Store can securely store credentials as Secure Strings, which allows for fine-grained access control and auditing through AWS CloudTrail. Using AWS KMS for encryption ensures that access to the keys and parameters is controlled and logged, satisfying the audit requirement.
While using AWS KMS for encryption is a secure method, storing the credentials in an Amazon RDS instance increases complexity and costs. RDS is not specifically designed for credential management and does not provide built-in audit features for access control over individual credentials.
AWS Secrets Manager is designed for managing secrets and provides features such as automatic rotation of credentials, but it typically incurs higher costs compared to using Systems Manager Parameter Store. Given the need for cost-effectiveness, this option may not be the best choice despite its functionality.
Storing credentials in a JSON file on Amazon S3, even with server-side encryption, lacks the necessary management features, such as fine-grained access control and auditing capabilities. This method can lead to security risks and does not meet the operational safety policy’s requirements for independent auditing of access to specific credentials.
As I understand it, the answer is:
Use AWS Systems Manager to store the credentials as Secure Strings Parameters. Secure by using an AWS KMS key.