Which solution will meet these requirements with the LEAST operational overhead?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A company hosts its application on AWS.The application runs on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate.The cluster runs behind an Application Load Balancer.The application stores data in an Amazon Aurora database.A developer encrypts and manages database credentials inside the application.The company wants to use a more secure credential storage method and implement periodic credential rotation.

Which solution will meet these requirements with the LEAST operational overhead?

Migrate the secret credentials to Amazon RDS parameter groups. Encrypt the parameter by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant AWS KMS permissions to access Amazon RDS.

Migrate the credentials to AWS Systems Manager Parameter Store. Encrypt the parameter by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager.

Migrate the credentials to ECS Fargate environment variables. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager.

Migrate the credentials to AWS Secrets Manager. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager by using keys.

Explanations:

Amazon RDS parameter groups are not intended for managing application credentials securely and do not support automatic credential rotation. They are mainly used for database configuration settings rather than storing sensitive application credentials.

While AWS Systems Manager Parameter Store can be used for credential storage and can be encrypted with AWS KMS, it does not support built-in secret rotation. This option would require additional operational overhead for implementing rotation manually.

Storing credentials in ECS Fargate environment variables is not a recommended practice for sensitive information. Additionally, it lacks built-in support for automatic credential rotation, requiring manual management.

AWS Secrets Manager is designed specifically for managing sensitive information such as database credentials, providing built-in encryption with AWS KMS and automatic secret rotation. This solution minimizes operational overhead by automating the management of secrets and integrating seamlessly with Amazon ECS Fargate.

2025-10-17

1 Comment

  1. Henry
    Author

    I appraise that the answer is:
    Migrate the credentials to AWS Secrets Manager. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager by using keys.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − nine =