AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company has an application that runs on Amazon EC2 instances and uses an Amazon Aurora database. The EC2 instances connect to the database by using user names and passwords that are stored locally in a file. The company wants to minimize the operational overhead of credential management.
What should a solutions architect do to accomplish this goal?
Other
Community
UAnonymous
A
Use AWS Secrets Manager. Turn on automatic rotation.
B
Use AWS Systems Manager Parameter Store. Turn on automatic rotation.
C
Create an Amazon S3 bucket to store objects that are encrypted with an AWS Key Management Service (AWS KMS) encryption key. Migrate the credential file to the S3 bucket. Point the application to the S3 bucket.
D
Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume for each EC2 instance. Attach the new EBS volume to each EC2 instance. Migrate the credential file to the new EBS volume. Point the application to the new EBS volume.
Explanation:
Explanation
Correct Answer: A
AWS Secrets Manager is specifically designed for managing secrets like database credentials, API keys, and other sensitive data. Here's why this is the best solution:
Why AWS Secrets Manager is the correct choice:
- Purpose-built for secrets management: Secrets Manager is specifically designed to store and retrieve secrets securely.
- Automatic rotation: The service can automatically rotate secrets according to a schedule, which reduces operational overhead.
- Integration with Aurora: Secrets Manager has native integration with Amazon Aurora, making it easy to manage database credentials.
- Security: Secrets are encrypted at rest using AWS KMS keys and can be accessed securely by authorized resources.
- Access control: Fine-grained access control can be implemented using IAM policies.
Why other options are incorrect:
Option B - AWS Systems Manager Parameter Store:
- While Parameter Store can store secrets, it's primarily designed for configuration data.
- Parameter Store doesn't have built-in automatic rotation for secrets like Secrets Manager does.
- Secrets Manager is specifically designed for secrets management with rotation capabilities.
Option C - Amazon S3 with KMS encryption:
- This moves the credential file to S3 but doesn't solve the operational overhead problem.
- The application still needs to retrieve and manage credentials manually.
- No automatic rotation capability.
- Adds complexity without addressing the core requirement of minimizing operational overhead.
Option D - Encrypted EBS volumes:
- This just moves the credential storage location without addressing management overhead.
- Each instance still has its own copy of credentials.
- No centralized management or rotation capabilities.
- Increases complexity with additional EBS volumes.
Key Benefits of AWS Secrets Manager:
- Centralized management: All secrets are stored in one place.
- Automatic rotation: Reduces manual intervention and security risks.
- Audit trail: Provides logs of who accessed secrets and when.
- Integration: Works seamlessly with Aurora databases and EC2 instances.
- Security: Secrets are encrypted and access is controlled through IAM.
By using AWS Secrets Manager with automatic rotation, the company can minimize operational overhead while maintaining security and compliance.
Comments
Loading comments...