AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has several web servers that need to frequently access a common Amazon RDS MySQL Multi-AZ DB instance. The company wants a secure method for the web servers to connect to the database while meeting a security requirement to rotate user credentials frequently. Which solution meets these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Store the database user credentials in AWS Secrets Manager. Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager.

Store the database user credentials in AWS Systems Manager OpsCenter. Grant the necessary IAM permissions to allow the web servers to access OpsCenter.

Store the database user credentials in a secure Amazon S3 bucket. Grant the necessary IAM permissions to allow the web servers to retrieve credentials and access the database.

Store the database user credentials in files encrypted with AWS Key Management Service (AWS KMS) on the web server file system. The web server should be able to decrypt the files and access the database.

Explanation:

Explanation

Correct Answer: A

AWS Secrets Manager is specifically designed for managing secrets like database credentials with built-in rotation capabilities. Here's why this is the best solution:

Why AWS Secrets Manager is the Right Choice:

Automatic Credential Rotation: Secrets Manager can automatically rotate database credentials according to a schedule you define, meeting the requirement for frequent credential rotation.
Secure Storage: Credentials are encrypted at rest using AWS KMS keys.
IAM Integration: Web servers can be granted IAM permissions to retrieve secrets, eliminating the need to store credentials on the file system.
RDS Integration: Secrets Manager has native integration with Amazon RDS, making it easy to manage database credentials.

Why Other Options Are Not Ideal:

Option B - AWS Systems Manager OpsCenter:

OpsCenter is designed for operational management and incident response, not for secret management with rotation capabilities.
It doesn't provide built-in credential rotation features.

Option C - Amazon S3 Bucket:

While S3 can store encrypted credentials, it doesn't provide automatic rotation capabilities.
You would need to build your own rotation mechanism, which is less secure and more complex.
Credentials would need to be manually updated and uploaded to S3.

Option D - KMS-encrypted files on web servers:

Credentials are stored on the web server file system, which is less secure than centralized secret management.
No built-in rotation mechanism - you would need to manually update files on all web servers.
If a web server is compromised, the encrypted credentials could potentially be accessed.

Best Practices Implemented by Option A:

Principle of Least Privilege: IAM policies grant only the necessary permissions to retrieve secrets.
Centralized Management: All credentials are managed in one place.
Audit Trail: Secrets Manager provides logs of who accessed secrets and when.
Automatic Rotation: Reduces the risk of credential compromise through regular updates.

This solution provides a secure, scalable, and maintainable approach to database credential management with automatic rotation capabilities.

Powered ByGPT-5.2

Comments

Loading comments...