Which solution will meet these requirements with the LEAST operational overhead?

By:
On:
In: DVA-C01
Tagged:
With: 0 Comments
A developer is modifying an existing AWS Lambda function.While checking the code, the developer notices hardcoded parameter values for an Amazon RDS for SQL Server user name, password, database, host, and port.There also are hardcoded parameter values for an Amazon DynamoDB table, an Amazon S3 bucket, and an Amazon Simple Notification Service (Amazon SNS) topic.The developer wants to securely store the parameter values outside the code in an encrypted format and wants to turn on rotation for the credentials.The developer also wants to be able to reuse the parameter values from other applications and to update the parameter values without modifying code.

Which solution will meet these requirements with the LEAST operational overhead?

Create an RDS database secret in AWS Secrets Manager. Set the user name, password, database, host, and port. Turn on secret rotation. Create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic.

Create an RDS database secret in AWS Secrets Manager. Set the user name, password, database, host, and port. Turn on secret rotation. Create SecureString parameters in AWS Systems Manager Parameter Store for the DynamoDB table, S3 bucket, and SNS topic.

Create RDS database parameters in AWS Systems Manager Parameter Store for the user name, password, database, host, and port. Create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic. Create a Lambda function and set the logic for the credentials rotation task. Schedule the credentials rotation task in Amazon EventBridge.

Create RDS database parameters in AWS Systems Manager Parameter Store for the user name, password, database, host, and port. Store the DynamoDB table, S3 bucket, and SNS topic in Amazon S3. Create a Lambda function and set the logic for the credentials rotation. Invoke the Lambda function on a schedule.

Explanations:

AWS Secrets Manager supports secure storage and rotation for the RDS credentials, but the DynamoDB table, S3 bucket, and SNS topic are stored in Lambda environment variables, which is not ideal for long-term management and reuse. Lambda environment variables are not as flexible as using Parameter Store for secure, reusable values.

Storing RDS credentials in AWS Secrets Manager with rotation enabled is a good approach, and using AWS Systems Manager Parameter Store for the other parameters (DynamoDB, S3, and SNS) is an ideal solution. These values can be stored as SecureString parameters, which are encrypted and can be reused across applications, without needing to modify code.

While using AWS Systems Manager Parameter Store for the RDS credentials is a valid option, creating a Lambda function for credential rotation introduces unnecessary operational overhead. Secrets Manager is a simpler, native service for securely rotating credentials with minimal maintenance.

Using AWS Systems Manager Parameter Store for RDS credentials is fine, but storing the other parameters in Amazon S3 is inefficient and does not offer the same level of security and management as Parameter Store. Additionally, rotating credentials manually with a Lambda function increases operational complexity.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − 3 =