Which solution will handle the database credentials MOST securely?
Retrieve the credentials from variables that are hardcoded in the buildspec.yml file. Configure an AWS Lambda function to rotate the credentials.
Retrieve the credentials from an environment variable that is linked to a SecureString parameter in AWS Systems Manager Parameter Store. Configure Parameter Store for automatic rotation.
Retrieve the credentials from an environment variable that is linked to an AWS Secrets Manager secret. Configure Secrets Manager for automatic rotation.
Retrieve the credentials from an environment variable that contains the connection string in plaintext. Configure an Amazon EventBridge event to rotate the credentials.
Explanations:
Hardcoding credentials in the buildspec.yml file is a security risk, as it exposes sensitive information in the source code. While an AWS Lambda function can rotate credentials, the method of hardcoding them does not comply with security best practices.
Using AWS Systems Manager Parameter Store for credentials is better than hardcoding, but it does not natively support automatic rotation of database credentials. Automatic rotation needs to be managed by additional processes or scripts, making it less secure compared to dedicated services.
AWS Secrets Manager is designed specifically for storing and managing sensitive information like database credentials. It supports automatic rotation of secrets, ensuring credentials are securely managed and up to date. This option provides the most secure solution for managing database credentials.
Storing connection strings in plaintext within environment variables is insecure as it exposes sensitive information. While Amazon EventBridge can trigger events for rotation, the initial plaintext storage of credentials violates security best practices.
It seems to me that the answer is:
Retrieve the credentials from an environment variable that is linked to an AWS Secrets Manager secret. Configure Secrets Manager for automatic rotation.