Which solution will meet these requirements MOST securely?
Store the database credentials in the environment variables of the Lambda function. Deploy the Lambda function with the new credentials every 30 days.
Store the database credentials in AWS Secrets Manager. Configure a 30-day rotation schedule for the credentials.
Store the database credentials in AWS Systems Manager Parameter Store secure strings. Configure a 30-day schedule for the secure strings.
Store the database credentials in an Amazon S3 bucket that uses server-side encryption with customer-provided encryption keys (SSE-C). Configure a 30-day key rotation schedule for the customer key.
Explanations:
Storing database credentials in environment variables is not secure as they can be easily exposed and require redeploying the Lambda function every 30 days, leading to potential downtime and management overhead.
AWS Secrets Manager is designed for securely storing and automatically rotating credentials. Configuring a 30-day rotation schedule is a best practice for security, ensuring the database credentials are updated regularly without manual intervention.
While AWS Systems Manager Parameter Store can securely store credentials as secure strings, it does not have built-in support for automatic credential rotation like Secrets Manager does. Additional implementation would be needed to automate rotation.
Storing credentials in an S3 bucket, even with server-side encryption, is not a best practice for secret management. It does not provide automatic rotation capabilities, and managing customer-provided keys adds complexity and security risks.
I appraise that the answer is:
Store the database credentials in AWS Secrets Manager. Configure a 30-day rotation schedule for the credentials.