Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 123 discussion

Its a difficult choice between B and D Option B leverages the existing AWS CLI command to generate a secure string, and then passes it as a parameter to CloudFormation, where it can be used to create the DB instance. But, if the use of Secrets Manager is already part of the organization's infrastructure, and the setup has already been completed, then option D may indeed be the simplest solution.

A) Eliminated - This approach requires writing and maintaining custom Lambda code, which adds development effort. B) Eliminated - This requires some setup in CodeBuild and manual handling of parameters, which adds complexity. C) Eliminated - Same as option A (Reason) D) Correct - Secrets Manager handles password generation and rotation automatically. This approach uses native CloudFormation functionality with no custom code.

Ans is B because the keyword is automatically generate passwords by secret manger by lest effort

D is the correct answer.

Where is the automatic generating of the password in option D?

D. Use the AWS::SecretsManager::Secret resource to generate a secure string. Store the secure string as a secret in AWS Secrets Manager. Use the secretsmanager dynamic reference to use the value stored in the secret to create the DB instance: This solution efficiently uses AWS CloudFormation's native integration with AWS Secrets Manager. The AWS::SecretsManager::Secret resource type in CloudFormation can generate a secure string and store it as a secret. The secret value can then be used directly in the CloudFormation template to set the RDS instance password, using the secretsmanager dynamic reference. This approach minimizes development effort and leverages existing AWS services.

D: This option leverages a native CloudFormation resource specifically designed for secret management. It eliminates the need for custom code or external tools, making it the simplest and most effort-efficient solution. This approach minimizes custom code and utilizes native CloudFormation features, reducing overall complexity and maintenance.

you can create secrets with AWS::SecretsManager::Secret so it is the correct answer.

I was dilly dallying between B and D....but this helped me solidify my answer choice https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html

With AWS CloudFormation, you can retrieve a secret to use in another AWS CloudFormation resource. A common scenario is to first create a secret with a password generated by Secrets Manager, and then retrieve the username and password from the secret to use as credentials for a new database. https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html

Option B provides a straightforward approach to generating a secure string for the DB instance password and using it in CloudFormation with minimal development effort. Here's why this option is efficient: CodeBuild Action: Using the AWS CodeBuild action within CodePipeline to generate a secure string using the aws secretsmanager get-random-password command allows you to easily create a random password without writing custom Lambda code. CloudFormation Parameter: You can pass the generated secure string as a CloudFormation parameter with the NoEcho attribute set to true. This ensures that the parameter value won't be exposed in CloudFormation outputs or logs.

The correct option is D. Create the password from secrets manager.

yes it's D

The answer is D This is a secretsmanager dynamic reference sample in cloud formation

I think answer is D https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-rds-integration-aws-secrets-manager/