Which set of options will meet the company’s requirements?
Create a new AWS Systems Manager Parameter Store entry for each database password. Enable parameter expiration to invoke an AWS Lambda function to perform password rotation by updating the parameter value. Create an IAM policy allowing each system administrator to retrieve their current password from the Parameter Store. Use the AWS CLI to retrieve credentials when connecting to the database.
Create a new AWS Secrets Manager entry for each database password. Configure password rotation for each secret using an AWS Lambda function in the same VPC as the database cluster. Create an IAM policy allowing each system administrator to retrieve their current password. Use the AWS CLI to retrieve credentials when connecting to the database.
Enable IAM database authentication on the database. Attach an IAM policy to each system administrator’s role to map the role to the database user name. Install the Amazon Aurora SSL certificate bundle to the system administrators’ certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
Enable IAM database authentication on the database. Configure the database to use the IAM identity provider to map the administrator roles to the database user. Install the Amazon Aurora SSL certificate bundle to the system administrators’ certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.
Explanations:
AWS Systems Manager Parameter Store is not ideal for password rotation in this case. While you can use Parameter Store for storing passwords, it does not integrate directly with IAM for seamless temporary credentials or automatic password rotation without custom Lambda functions. This solution requires significant manual intervention.
Although AWS Secrets Manager can manage credentials and rotate passwords, the solution described here is incomplete. Specifically, the use of Lambda for rotation in the same VPC is not necessary and does not fully integrate IAM roles for temporary credentials in a seamless manner. Additionally, there is no clear connection to IAM for mapping database access to users.
Enabling IAM database authentication allows system administrators to authenticate using temporary IAM credentials. The IAM policy for each user will allow access to the database, and the use of an authentication token (generated via AWS CLI) replaces the static database password. This solution meets the requirement for using existing AWS access controls and temporary credentials.
Although IAM database authentication is correct for enabling temporary credentials, the configuration to use an IAM identity provider to map administrator roles to the database user is unnecessary. The use of IAM roles for this purpose is sufficient, and this solution introduces unnecessary complexity. IAM roles should map directly to the database user without additional identity provider configuration.
As I understand it, the answer is:
Enable IAM database authentication on the database. Attach an IAM policy to each system administrator’s role to map the role to the database user name. Install the Amazon Aurora SSL certificate bundle to the system administrators’ certificate trust store. Use the AWS CLI to generate an authentication token used when connecting to the database.