What should a solutions architect do to accomplish this goal?
Use AWS Secrets Manager. Turn on automatic rotation.
Use AWS Systems Manager Parameter Store. Turn on automatic rotation.
Create an Amazon S3 bucket to store objects that are encrypted with an AWS Key Management Service (AWS KMS) encryption key. Migrate the credential file to the S3 bucket. Point the application to the S3 bucket.
Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume for each EC2 instance. Attach the new EBS volume to each EC2 instance. Migrate the credential file to the new EBS volume. Point the application to the new EBS volume.
Explanations:
AWS Secrets Manager is designed for managing secrets like database credentials. It supports automatic rotation, which minimizes operational overhead by securely rotating and managing credentials without manual intervention.
Although AWS Systems Manager Parameter Store can store secrets, it does not support automatic rotation for database credentials like AWS Secrets Manager, which limits its ability to fully minimize credential management overhead.
Storing credentials in Amazon S3, even with encryption, does not provide a secure and managed method for handling secrets. It lacks automated rotation and is not purpose-built for credential management.
Using an encrypted EBS volume does not manage or rotate credentials; it only provides encryption at rest. This option does not reduce operational overhead related to credential management.
I weigh that the answer is:
Use AWS Secrets Manager. Turn on automatic rotation.
I surmise that the answer is:
Use AWS Secrets Manager. Turn on automatic rotation.