Which solution will meet these requirements?
Create an AWS::SecretsManager::Secret resource in the CloudF ormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.
Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm-secure dynamic reference.
Create an AWS::SSM::Parameter resource in he CloudFormation template. Reference the credentias in the AWS::RDS::DBInstance resource by using the resolve:ssm dynamic reference.
Create parameters for the database credentials in the CloudFormation template. Use the Ref intrinsic function to provide the credentials to the AWS::RDS::DBInstance resource.
Explanations:
UsingAWS::SecretsManager::Secretallows you to securely store and automatically rotate credentials. Theresolve:secretsmanagerdynamic reference is designed to securely fetch secrets from AWS Secrets Manager for use in CloudFormation templates, and it meets the requirement for both encryption and automatic rotation of credentials.
resolve:ssm-secureis used to fetch secrets from AWS Systems Manager Parameter Store in a secure manner. However, SSM Parameter Store does not support automatic rotation of secrets, which violates the requirement for automatic credential rotation.
AWS::SSM::Parametercan be used to store credentials securely, but it lacks native support for automatic rotation of credentials. It only provides secure storage, but does not meet the requirement for automatic rotation.
Using plain parameters withReffor credentials is not secure. The credentials are stored in plaintext within the template, which is not encrypted, and there is no support for automatic rotation. This option does not meet the security or rotation requirements.
I opine that the answer is:
Create an AWS::SecretsManager::Secret resource in the CloudF ormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.