What should a database specialist do to meet those requirements in the MOST secure manner?
Store the database credentials by using AWS Systems Manager Parameter Store. Enable automatic rotation of the password. Use the AWS Cloud Development Kit (AWS CDK) in the Lambda function to retrieve the credentials from Parameter Store
Encrypt the database credentials by using AWS Key Management Service (AWS KMS). Store the credentials in Amazon S3. Use an S3 Lifecycle policy to rotate the password. Retrieve the credentials by using Python code in Lambda
Store the database credentials by using AWS Secrets Manager. Enable automatic rotation of the password. Configure the Lambda function to use the Secrets Manager API to retrieve the credentials
Store the database credentials in an Amazon DynamoDB table. Assign an IAM role to the Lambda function to grant the Lambda function read-only access to the DynamoDB table. Rotate the password by using another Lambda function that runs monthly
Explanations:
AWS Systems Manager Parameter Store can store credentials, but it does not provide built-in automatic password rotation for RDS databases. AWS Secrets Manager is more appropriate for this purpose.
Storing database credentials in Amazon S3, even when encrypted, is not a secure best practice for sensitive credentials. Also, S3 Lifecycle policies are not intended for password rotation.
AWS Secrets Manager is designed for secure storage and automatic rotation of credentials. Secrets Manager can integrate with Lambda to securely retrieve and rotate RDS credentials.
Storing sensitive credentials in DynamoDB is not recommended. DynamoDB does not natively support password rotation, and using an additional Lambda function for this task is less secure and more complex than Secrets Manager.
I compute that the answer is:
Store the database credentials by using AWS Secrets Manager. Enable automatic rotation of the password. Configure the Lambda function to use the Secrets Manager API to retrieve the credentials