Which solution will meet these requirements in the MOST secure way?
Store the credentials in AWS Secrets Manager in the primary Region. Enable secret replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.
Store credentials in AWS Systems Manager Parameter Store in the primary Region. Enable parameter replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.
Store credentials in a config file. Upload the config file to an S3 bucket in the primary Region. Enable Cross-Region Replication (CRR) to an S3 bucket in the secondary region. Update the application to access the config file from the S3 bucket, based on the Region.
Store credentials in a config file. Upload the config file to an Amazon Elastic File System (Amazon EFS) file system. Update the application to use the Amazon EFS file system Regional endpoints to access the config file in the primary and secondary Regions.
Explanations:
AWS Secrets Manager allows for secure storage and management of secrets, including database credentials. By enabling secret replication, the credentials can be automatically replicated to the secondary Region, ensuring availability during a failover scenario. Using the ARN based on the Region allows the application to seamlessly access the correct secret. This approach provides strong security and compliance with disaster recovery strategies.
AWS Systems Manager Parameter Store is a viable option for storing credentials, but it may not provide the same level of security features as AWS Secrets Manager, particularly for sensitive data like database credentials. While parameter replication is possible, it does not inherently provide the same security and access controls, which may be crucial in a disaster recovery context.
Storing credentials in a config file is not a best practice for security, as it exposes sensitive information in an easily accessible format. Although using S3 with Cross-Region Replication ensures availability, it does not offer the encryption and access control features provided by Secrets Manager or Parameter Store, making it less secure for storing sensitive credentials.
Similar to option C, storing credentials in a config file on Amazon EFS does not follow best practices for secure credential storage. While EFS can be accessed from multiple Regions, it does not provide the built-in security and management features that dedicated services like Secrets Manager offer. This solution increases the risk of exposing sensitive information and does not align with secure credential storage principles.
From my perspective, the answer is:
Store the credentials in AWS Secrets Manager in the primary Region. Enable secret replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.