Which solution meets these requirements with the LEAST operational effort?
Create a database user with a user name and password. Add parameters for the database user name and password to the CloudFormation template. Pass the parameters to the EC2 instances when the instances are launched.
Create a database user with a user name and password. Store the user name and password in AWS Systems Manager Parameter Store. Configure the EC2 instances to retrieve the database credentials from Parameter Store.
Configure the DB cluster to use IAM database authentication. Create a database user to use with IAM authentication. Associate a role with the EC2 instances to allow applications on the instances to access the database.
Configure the DB cluster to use IAM database authentication with an IAM user. Create a database user that has a name that matches the IAM user. Associate the IAM user with the EC2 instances to allow applications on the instances to access the database.
Explanations:
This option involves creating a database user with static credentials (username and password) and passing them as parameters in the CloudFormation template. This approach requires maintaining and rotating credentials, which goes against the requirement of not maintaining static database credentials.
While storing credentials in AWS Systems Manager Parameter Store provides a secure way to manage secrets, it still requires the maintenance of static credentials. The EC2 instances would need to retrieve these credentials, leading to operational overhead in managing their lifecycle.
This option configures the Aurora DB cluster to use IAM database authentication, allowing EC2 instances to connect without static credentials. By associating an IAM role with the instances, they can assume the role and access the database securely, minimizing operational effort and eliminating the need to manage static credentials.
Although this option also suggests using IAM authentication, it incorrectly requires the creation of an IAM user. The correct approach is to use IAM roles for EC2 instances rather than creating an IAM user. This option introduces unnecessary complexity and does not align with best practices for managing permissions for AWS resources.