AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
In a scenario where a company is deploying resources using an AWS CloudFormation template and must adhere to security best practices, particularly for managing sensitive database credentials, which approach should be taken? The company already employs AWS Key Management Service (AWS KMS) and AWS Secrets Manager for other security needs.
In a scenario where a company is deploying resources using an AWS CloudFormation template and must adhere to security best practices, particularly for managing sensitive database credentials, which approach should be taken? The company already employs AWS Key Management Service (AWS KMS) and AWS Secrets Manager for other security needs.
Explanation:
The correct answer is A: Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager. This solution leverages AWS Secrets Manager's capability to manage sensitive information and allows for seamless integration with CloudFormation templates through dynamic references. It ensures that sensitive database credentials are securely managed and easily accessible by the CloudFormation stack when needed. Encrypting the entire CloudFormation template (Option B) or using parameters with SecureString (Options C and D) are less optimal for managing database credentials securely in this context.