Which solution will meet these requirements with the LEAST development effort?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A company must deploy all its Amazon RDS DB instances by using AWS CloudFormation templates as part of AWS CodePipeline continuous integration and continuous delivery (CI/CD) automation.The primary password for the DB instance must be automatically generated as part of the deployment process.

Which solution will meet these requirements with the LEAST development effort?

Create an AWS Lambda-backed CloudFormation custom resource. Write Lambda code that generates a secure string. Return the value of the secure string as a data field of the custom resource response object. Use the CloudFormation Fn::GetAtt intrinsic function to get the value of the secure string. Use the value to create the DB instance.

Use the AWS CodeBuild action of CodePipeline to generate a secure string by using the following AWS CLI command: aws secretsmanager get-random-password. Pass the generated secure string as a CloudFormation parameter with the NoEcho attribute set to true. Use the parameter reference to create the DB instance.

Create an AWS Lambda-backed CloudFormation custom resource. Write Lambda code that generates a secure string. Return the value of the secure string as a data field of the custom resource response object. Use the CloudFormation Fn::GetAtt intrinsic function to get a value of the secure string. Create secrets in AWS Secrets Manager. Use the secretsmanager dynamic reference to use the value stored in the secret to create the DB instance.

Use the AWS::SecretsManager::Secret resource to generate a secure string. Store the secure string as a secret in AWS Secrets Manager. Use the secretsmanager dynamic reference to use the value stored in the secret to create the DB instance.

Explanations:

While this option uses a Lambda-backed custom resource to generate a secure string, it requires additional code development and complexity in managing the Lambda function. It doesn’t utilize Secrets Manager or other simpler mechanisms provided by AWS for password generation.

This option relies on AWS CodeBuild to generate a secure string using the AWS CLI. However, passing the generated string as a CloudFormation parameter, although possible, involves more manual steps and does not leverage a more integrated solution like Secrets Manager.

This option also involves a Lambda-backed custom resource and the complexity of managing the Lambda code. Although it suggests using AWS Secrets Manager, it still requires more effort compared to simply creating the secret directly within the CloudFormation template.

This option uses the AWS::SecretsManager::Secret resource to directly create a secure string and store it in AWS Secrets Manager. This approach is straightforward and minimizes development effort while ensuring that the password is securely generated and managed, making it the most efficient solution for the given requirements.

2025-10-16

1 Comment

  1. Heather
    Author

    As far as I can tell, the answer is:
    Use the AWS::SecretsManager::Secret resource to generate a secure string. Store the secure string as a secret in AWS Secrets Manager. Use the secretsmanager dynamic reference to use the value stored in the secret to create the DB instance.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − four =