Which solution will meet these requirements?
Store the database credentials for both environments in AWS Systems Manager Parameter Store. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Within the application code of the Lambda functions, pull the credentials from the Parameter Store parameter by using the AWS SDK for Python (Boto3). Add a role to the Lambda functions to provide access to the Parameter Store parameter.
Store the database credentials for both environments in AWS Secrets Manager with distinct key entry for the QA environment and the production environment. Turn on rotation. Provide a reference to the Secrets Manager key as an environment variable for the Lambda functions.
Store the database credentials for both environments in AWS Key Management Service (AWS KMS). Turn on rotation. Provide a reference to the credentials that are stored in AWS KMS as an environment variable for the Lambda functions.
Create separate S3 buckets for the QA environment and the production environment. Turn on server-side encryption with AWS KMS keys (SSE-KMS) for the S3 buckets. Use an object naming pattern that gives each Lambda function’s application code the ability to pull the correct credentials for the function’s corresponding environment. Grant each Lambda function’s execution role access to Amazon S3.
Explanations:
While AWS Systems Manager Parameter Store can securely store credentials, it does not have built-in automatic password rotation capabilities. Therefore, additional work would be required to implement rotation, which does not fully meet the requirement for automatic password rotation.
AWS Secrets Manager is designed for securely storing sensitive information like database credentials and supports automatic rotation of secrets. It allows for easy retrieval of credentials in a secure manner and can use distinct keys for different environments, making it suitable for both QA and production setups.
AWS Key Management Service (AWS KMS) is primarily used for managing encryption keys rather than storing credentials directly. KMS does not provide a mechanism for automatic password rotation or credential management. Therefore, this option does not satisfy the requirements.
While S3 can be used to store credentials with encryption, it lacks the built-in automatic rotation feature required by the company. Additionally, managing credentials in S3 adds complexity and is not the best practice compared to using a service specifically designed for secret management, such as Secrets Manager.