Which solution will meet these requirements with the LEAST operational overhead?
Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule.
Store the credentials as secrets in AWS Systems Manager by creating a secure string parameter. Use multi-Region secret replication for the required Regions. Configure Systems Manager to rotate the secrets on a schedule.
Store the credentials in an Amazon S3 bucket that has server-side encryption (SSE) enabled. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Lambda function to rotate the credentials.
Encrypt the credentials as secrets by using AWS Key Management Service (AWS KMS) multi-Region customer managed keys. Store the secrets in an Amazon DynamoDB global table. Use an AWS Lambda function to retrieve the secrets from DynamoDB. Use the RDS API to rotate the secrets.
Explanations:
AWS Secrets Manager is purpose-built for securely managing and rotating secrets. It supports multi-Region replication and automated rotation with minimal setup and operational overhead, making it the most suitable choice for this requirement.
AWS Systems Manager Parameter Store does not support automated rotation for secrets like RDS credentials, making it unsuitable for this use case despite offering multi-Region replication.
Storing credentials in Amazon S3, even with encryption, is less secure and requires more manual steps for rotation, increasing operational overhead and security risk.
Using DynamoDB and KMS with custom Lambda functions introduces unnecessary complexity and operational overhead. This option is not as streamlined as AWS Secrets Manager, which already has built-in features for secure storage, multi-Region support, and automatic rotation.