AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is developing a two-tier web application on AWS. The company's developers have deployed the application on an Amazon EC2 instance that connects directly to a backend Amazon RDS database. The company must not hardcode database credentials in the application. The company must also implement a solution to automatically rotate the database credentials on a regular basis.

Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Store the database credentials in the instance metadata. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time.

Store the database credentials in a configuration file in an encrypted Amazon S3 bucket. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. Use S3 Versioning to ensure the ability to fall back to previous values.

Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret.

Store the database credentials as encrypted parameters in AWS Systems Manager Parameter Store. Turn on automatic rotation for the encrypted parameters. Attach the required permission to the EC2 role to grant access to the encrypted parameters.

Explanation:

Explanation

Correct Answer: C

AWS Secrets Manager is specifically designed for this use case and provides:

Secure credential storage: Secrets are encrypted at rest using AWS KMS
Automatic rotation: Built-in rotation capability that can rotate RDS database credentials automatically
Least operational overhead: Secrets Manager handles the rotation process end-to-end without requiring custom Lambda functions or manual intervention
IAM integration: EC2 instances can access secrets using IAM roles attached to the instance
Automatic credential updates: When Secrets Manager rotates credentials, it updates the secret value and applications can retrieve the new credentials

Why other options are not optimal:

Option A: Storing credentials in instance metadata is not secure and requires custom Lambda functions for rotation, creating operational overhead.
Option B: Using S3 with custom Lambda functions requires managing the rotation logic, versioning, and synchronization, which adds operational complexity.
Option D: AWS Systems Manager Parameter Store supports encryption but does not have built-in automatic rotation for RDS credentials. While you can store encrypted parameters, you would need to implement custom rotation logic, unlike Secrets Manager which has native RDS rotation support.

Key AWS Services Comparison:

Secrets Manager: Built-in rotation for RDS, Redshift, DocumentDB + Lambda rotation for other services
Parameter Store: Secure storage but no built-in rotation capability
Both: Integrate with IAM for access control and KMS for encryption

Best Practice: Use Secrets Manager for database credentials that require rotation, as it provides the most managed solution with the least operational overhead.

Powered ByGPT-5.2

Comments

Loading comments...