Which solution should the developer use to store and retrieve the credentials with the LEAST management overhead?
Store the credentials in AWS Systems Manager Parameter Store. Select the database that the parameter will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the parameter. Enable automatic rotation for the parameter. Use the parameter from Parameter Store on the Lambda function to connect to the database.
Encrypt the credentials with the default AWS Key Management Service (AWS KMS) key. Store the credentials as environment variables for the Lambda function. Create a second Lambda function to generate new credentials and to rotate the credentials by updating the environment variables of the first Lambda function. Invoke the second Lambda function by using an Amazon EventBridge rule that runs on a schedule. Update the database to use the new credentials. On the first Lambda function, retrieve the credentials from the environment variables. Decrypt the credentials by using AWS KMS, Connect to the database.
Store the credentials in AWS Secrets Manager. Set the secret type to Credentials for Amazon RDS database. Select the database that the secret will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the secret. Enable automatic rotation for the secret. Use the secret from Secrets Manager on the Lambda function to connect to the database.
Encrypt the credentials by using AWS Key Management Service (AWS KMS). Store the credentials in an Amazon DynamoDB table. Create a second Lambda function to rotate the credentials. Invoke the second Lambda function by using an Amazon EventBridge rule that runs on a schedule. Update the DynamoDB table. Update the database to use the generated credentials. Retrieve the credentials from DynamoDB with the first Lambda function. Connect to the database.
Explanations:
While AWS Systems Manager Parameter Store can store and manage secrets, it does not provide built-in automatic rotation for database credentials specifically. The developer would need to implement custom logic for credential rotation, increasing management overhead compared to other options.
Although this option uses encryption and environment variables, it requires manual management of credential rotation through a separate Lambda function. This increases complexity and overhead, as the developer must ensure that the credentials are updated in both the environment variables and the database. Additionally, storing sensitive credentials in environment variables can pose a security risk if not managed properly.
AWS Secrets Manager is designed specifically for storing and managing sensitive information such as database credentials. It provides built-in support for automatic credential rotation, and the option to encrypt secrets with AWS KMS ensures secure storage. Integrating Secrets Manager with the Lambda function is straightforward, allowing the function to retrieve the credentials without added management complexity.
Storing credentials in Amazon DynamoDB introduces unnecessary complexity, as it requires a second Lambda function to manage credential rotation. This method lacks the built-in automatic rotation feature available in Secrets Manager, leading to increased management overhead. Additionally, the retrieval process from DynamoDB is less straightforward than using Secrets Manager.
I arrange that the answer is:
Store the credentials in AWS Secrets Manager. Set the secret type to Credentials for Amazon RDS database. Select the database that the secret will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the secret. Enable automatic rotation for the secret. Use the secret from Secrets Manager on the Lambda function to connect to the database.