Which solution meets these requirements?
Use the AWS Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.
Use AWS Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.
Use the AWS Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
Use AWS Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.
Explanations:
AWS Systems Manager Parameter Store can store parameters securely but does not include built-in functionality for automatic credential rotation, which is a requirement. It also lacks the advanced management features found in Secrets Manager, such as automatic expiration and auditing of access.
While AWS Secrets Manager can securely store and rotate database credentials, using an IAM inline policy is less flexible compared to using IAM roles. Inline policies are specific to a single user or group, which could lead to administrative overhead and potential access issues as team roles change.
AWS Systems Manager Parameter Store does not provide automatic credential rotation, which is essential for maintaining security. Additionally, while it can restrict access using IAM roles, it does not offer the same level of security and management features as Secrets Manager.
AWS Secrets Manager securely stores and automatically rotates database credentials, aligning with the requirement for secure storage and periodic rotation. Using IAM roles for ECS tasks ensures that access to credentials is tightly controlled and only available to the necessary containers, minimizing administrative overhead and preventing sharing of plaintext credentials.