Answer-first summary for fast verification
Answer: Store the database user credentials in AWS Secrets Manager. Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager.
## Explanation **Correct Answer: A** AWS Secrets Manager is specifically designed for managing secrets like database credentials with built-in rotation capabilities. Here's why this is the best solution: ### Why AWS Secrets Manager is the Right Choice: 1. **Automatic Credential Rotation**: Secrets Manager can automatically rotate database credentials according to a schedule you define, meeting the requirement for frequent credential rotation. 2. **Secure Storage**: Credentials are encrypted at rest using AWS KMS keys. 3. **IAM Integration**: Web servers can be granted IAM permissions to retrieve secrets, eliminating the need to store credentials on the file system. 4. **RDS Integration**: Secrets Manager has native integration with Amazon RDS, making it easy to manage database credentials. ### Why Other Options Are Not Ideal: **Option B - AWS Systems Manager OpsCenter**: - OpsCenter is designed for operational management and incident response, not for secret management with rotation capabilities. - It doesn't provide built-in credential rotation features. **Option C - Amazon S3 Bucket**: - While S3 can store encrypted credentials, it doesn't provide automatic rotation capabilities. - You would need to build your own rotation mechanism, which is less secure and more complex. - Credentials would need to be manually updated and uploaded to S3. **Option D - KMS-encrypted files on web servers**: - Credentials are stored on the web server file system, which is less secure than centralized secret management. - No built-in rotation mechanism - you would need to manually update files on all web servers. - If a web server is compromised, the encrypted credentials could potentially be accessed. ### Best Practices Implemented by Option A: - **Principle of Least Privilege**: IAM policies grant only the necessary permissions to retrieve secrets. - **Centralized Management**: All credentials are managed in one place. - **Audit Trail**: Secrets Manager provides logs of who accessed secrets and when. - **Automatic Rotation**: Reduces the risk of credential compromise through regular updates. This solution provides a secure, scalable, and maintainable approach to database credential management with automatic rotation capabilities.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has several web servers that need to frequently access a common Amazon RDS MySQL Multi-AZ DB instance. The company wants a secure method for the web servers to connect to the database while meeting a security requirement to rotate user credentials frequently. Which solution meets these requirements?
A
Store the database user credentials in AWS Secrets Manager. Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager.
B
Store the database user credentials in AWS Systems Manager OpsCenter. Grant the necessary IAM permissions to allow the web servers to access OpsCenter.
C
Store the database user credentials in a secure Amazon S3 bucket. Grant the necessary IAM permissions to allow the web servers to retrieve credentials and access the database.
D
Store the database user credentials in files encrypted with AWS Key Management Service (AWS KMS) on the web server file system. The web server should be able to decrypt the files and access the database.