What is the MOST secure and flexible way to obtain password credentials during deployment?
Retrieve an access key from an AWS Systems Manager SecureString parameter to access AWS services. Retrieve the database credentials from a Systems Manager SecureString parameter.
Launch the EC2 instances with an EC2 IAM role to access AWS services. Retrieve the database credentials from AWS Secrets Manager.
Retrieve an access key from an AWS Systems Manager plaintext parameter to access AWS services. Retrieve the database credentials from a Systems Manager SecureString parameter.
Launch the EC2 instances with an EC2 IAM role to access AWS services. Store the database passwords in an encrypted config file with the application artifacts.
Explanations:
Although using Systems Manager SecureString for database credentials is secure, using an access key for EC2 instances to access AWS services is less secure than using an IAM role, which provides temporary, managed credentials.
Using an EC2 IAM role for accessing AWS services provides secure, temporary credentials, and Secrets Manager securely manages database credentials with automatic rotation and access control.
Using a plaintext parameter in Systems Manager for access keys is insecure, as sensitive information is stored unencrypted, risking credential exposure.
While EC2 IAM roles provide secure access to AWS services, storing database passwords in an encrypted config file with application artifacts is less flexible and harder to manage than Secrets Manager.