What should a solutions architect do to meet these requirements?
Use AWS Key Management Service (AWS KMS) to create keys. Configure the application to load the database credentials from AWS KMS. Enable automatic key rotation.
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Create an AWS Lambda function that rotates the credentials in Secret Manager.
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager.
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Systems Manager Parameter Store. Configure the application to load the database credentials from Parameter Store. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Parameter Store.
Explanations:
AWS Key Management Service (KMS) is primarily used for encryption and key management. It does not provide direct management of database credentials. This would not meet the requirement of securely storing and rotating database credentials for the application.
While storing credentials in AWS Secrets Manager is correct, creating a Lambda function to rotate credentials is unnecessary. Secrets Manager has built-in automatic rotation for supported databases like RDS, so manual Lambda functions are not needed.
This option is correct as it uses AWS Secrets Manager to securely store the database credentials and set up automatic credential rotation. Secrets Manager integrates with RDS for automatic rotation, meeting the security and low-effort requirements.
Although AWS Systems Manager Parameter Store can store secrets, it does not offer automatic rotation of credentials like Secrets Manager. This would require additional effort to implement a custom solution for rotating the credentials, making it less optimal.
If I’m not mistaken, the answer is:
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager.