Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3.For the next version of the application, the security engineer wants to implement the following application design changes to improve security:✑ The database must use strong, randomly generated passwords stored in a secure AWS managed service.✑ The application resources must be deployed through AWS CloudFormation.✑ The application must rotate credentials for the database every 90 days.A solutions architect will generate a CloudFormation template to deploy the application.

Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.

Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.

Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.

Explanations:

AWS Secrets Manager allows for the generation and management of secrets such as database passwords. By creating a secret resource, the password can be stored securely, and using the built-in rotation feature, a Lambda function can be set up to rotate the password automatically every 90 days with minimal operational overhead.

AWS Systems Manager Parameter Store can store passwords as SecureString, but it does not provide built-in automatic password rotation like Secrets Manager. The need for a Lambda function to handle rotation adds complexity and operational overhead. Additionally, there is no RotationSchedule resource in Parameter Store, making this option less ideal.

While AWS Secrets Manager allows for the generation of secrets and supports Lambda for custom rotation, using an Amazon EventBridge rule for triggering password rotation adds unnecessary complexity compared to the built-in rotation feature of Secrets Manager. The requirement specifies wanting to minimize operational overhead.

Similar to option B, AWS Systems Manager Parameter Store does not have automatic password rotation capabilities. The use of AWS AppSync DataSource for automatic rotation is not applicable for managing database passwords and does not fit the context, resulting in higher operational overhead without meeting the requirements.

2025-09-30

1 Comment

  1. Lori
    Author

    As I understand it, the answer is:
    Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 3 =