Which solution meets these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data.During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code in the company’s source code repository.A security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically.The credentials should be accessible to the application only.The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates.The solution must also minimize administrative overhead.

Which solution meets these requirements?

Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Explanations:

AWS Systems Manager Parameter Store can store parameters securely but does not include built-in functionality for automatic credential rotation, which is a requirement. It also lacks the advanced management features found in Secrets Manager, such as automatic expiration and auditing of access.

While AWS Secrets Manager can securely store and rotate database credentials, using an IAM inline policy is less flexible compared to using IAM roles. Inline policies are specific to a single user or group, which could lead to administrative overhead and potential access issues as team roles change.

AWS Systems Manager Parameter Store does not provide automatic credential rotation, which is essential for maintaining security. Additionally, while it can restrict access using IAM roles, it does not offer the same level of security and management features as Secrets Manager.

AWS Secrets Manager securely stores and automatically rotates database credentials, aligning with the requirement for secure storage and periodic rotation. Using IAM roles for ECS tasks ensures that access to credentials is tightly controlled and only available to the necessary containers, minimizing administrative overhead and preventing sharing of plaintext credentials.

2026-03-23

2 Comments

  1. Natalie
    Author

    I plan that the answer is:
    Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

  2. Stephen
    Author

    I strategize that the answer is:
    Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 5 =