What should a solutions architect do to meet these requirements?
Use AWS Key Management Service (AWS KMS) customer master keys (CMKs) to create keys. Configure the application to load the database credentials from AWS KMS. Enable automatic key rotation.
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Create an AWS Lambda function that rotates the credentials in Secret Manager.
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager.
Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Systems Manager Parameter Store. Configure the application to load the database credentials from Parameter Store. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Parameter Store.
Explanations:
AWS KMS is not intended to store and manage application credentials. It is primarily used for encryption keys.
While storing credentials in Secrets Manager is good practice, creating a Lambda function for rotation adds unnecessary complexity. Secrets Manager already supports automatic credential rotation for RDS.
Storing credentials in Secrets Manager and using its built-in rotation for RDS credentials provides a secure, low-effort solution. This meets the requirement for security and minimizes programming effort.
Systems Manager Parameter Store does not provide automatic rotation for database credentials, and using it requires more manual effort for security. Secrets Manager is the more appropriate service for automatic credential rotation.