Which strategy should a solutions architect recommend to remediate these security risks?
Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Modify the DB instance and enable encryption.
Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
Configure the Lambda function to store and retrieve the database credentials as encrypted AWS Systems Manager Parameter Store parameters. Create another Lambda function to automatically rotate the credentials. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
Explanations:
This option addresses both security issues by storing the credentials in AWS Secrets Manager, which allows for automated rotation of the database credentials, thereby enhancing security. Additionally, taking a snapshot of the DB instance and encrypting it resolves the issue of unencrypted data at rest. This method provides a clear path to secure both credentials and data.
While enabling IAM DB authentication can improve credential management by allowing AWS IAM roles to access the database, this option does not address the lack of credential rotation, as it still relies on the static access configuration. Also, simply modifying the DB instance to enable encryption does not directly resolve the current unencrypted state of existing data, as it will only apply to new data going forward.
This option also enables IAM DB authentication but, like option B, does not address the issue of credential rotation. Creating an encrypted read replica only resolves the data encryption concern but does not solve the problem of the static database credentials not being rotated frequently.
This option suggests using AWS Systems Manager Parameter Store for credential storage, which is not as secure as AWS Secrets Manager for this use case, especially regarding automatic rotation. While it proposes creating an encrypted read replica, it does not directly address the requirement for regular credential rotation or provide a robust mechanism for managing the database credentials securely.
I rate that the answer is:
Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.