Which approach should the Database Specialist take to securely manage the database credentials?
Store the credentials in a text file in an Amazon S3 bucket. Restrict permissions on the bucket to the IAM role associated with the instance profile only. Modify the application to download the text file and retrieve the credentials on start up. Update the text file every 60 days.
Configure IAM database authentication for the application to connect to the database. Create an IAM user and map it to a separate database user for each ecommerce user. Require users to update their passwords every 60 days.
Store the credentials in AWS Secrets Manager. Restrict permissions on the secret to only the IAM role associated with the instance profile. Modify the application to retrieve the credentials from Secrets Manager on start up. Configure the rotation interval to 60 days.
Store the credentials in an encrypted text file in the application AMI. Use AWS KMS to store the key for decrypting the text file. Modify the application to decrypt the text file and retrieve the credentials on start up. Update the text file and publish a new AMI every 60 days.
Explanations:
Storing credentials in a text file on Amazon S3, even with restricted permissions, is not a best practice for managing sensitive information like database credentials. This method requires manual updates every 60 days, which increases the risk of human error and does not provide automatic credential rotation or enhanced security features like encryption at rest and retrieval controls provided by AWS services.
IAM database authentication is not applicable for PostgreSQL with Amazon RDS. IAM database authentication works only with Amazon RDS for MySQL and MariaDB. Moreover, mapping an IAM user to each individual ecommerce user is cumbersome and unnecessary for the application’s requirements. This approach would also complicate credential management.
AWS Secrets Manager is designed specifically for securely storing and managing sensitive information such as database credentials. It supports automatic credential rotation (which is required every 60 days), allows fine-grained IAM permissions, and integrates easily with AWS applications. This is the best approach for securely managing the database credentials.
Storing credentials in an encrypted text file in the AMI and relying on AWS KMS for decryption is not optimal. This method would require creating and deploying a new AMI every 60 days when the credentials are updated, which is inefficient and prone to human error. Additionally, the encrypted file approach does not offer the same level of convenience, security features, and automation as Secrets Manager.
Based on what I know, the answer is:
Store the credentials in AWS Secrets Manager. Restrict permissions on the secret to only the IAM role associated with the instance profile. Modify the application to retrieve the credentials from Secrets Manager on start up. Configure the rotation interval to 60 days.