Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 302 discussion

Managed rotation vs. automatic rotation: Managed rotation requires manual intervention to specify when a secret should be rotated. This doesn't meet the requirement of automated password rotation on a regular basis. Automatic rotation automatically rotates secrets based on a defined schedule, meeting the requirement for regular password changes. Single user vs. alternating users: Single user rotation means there is only one set of credentials. Rotating this would cause downtime as the application needs to update its connection information. Alternating users rotation uses two sets of credentials. Only one is active at a time. When it's time to rotate, the inactive set is rotated, and then the application switches to using that set, avoiding downtime

B: Managed rotation alternating users

I think the term "automatic rotation" is confusing here. The right term in the AWS documentation is "Managed rotation". The managed rotation is available for RDS and it automate the rotation process on a regular basis.

B is the correct answer. D is wrong because automatic rotation requires the developer to write and manage custom rotation logic. Using managed rotation is simpler and more operationally efficient.

"Automatic rotation" is not a distinct concept in AWS Secrets Manager; rotation is always "managed." This option likely refers to the alternating strategy but does not add clarity compared to managed rotation.

Automatic rotation does not address the high availability requirement. If the rotation process causes downtime, it could impact our application's stability

B. Configure managed rotation with the alternating users rotation strategy.

D is the correct answer.

Automatic Rotation We strongly recommend that you use automatic rotation instead of managed rotation. Automatic rotation simplifies the rotation process and offers several advantages over managed rotation, including: It eliminates the need to create and manage Lambda functions to update the secret in AWS Secrets Manager or the database. It supports the alternating users rotation strategy, which is no longer supported for managed rotation. (Source: AWS Secrets Manager documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html)

Using AWS Secrets Manager's managed rotation with the alternating users rotation strategy is ideal for databases like Amazon RDS for PostgreSQL. This strategy involves creating a second user in the database with the same permissions as the original user. During rotation, Secrets Manager switches between these two users, updating the credentials for the inactive user and then making it the active user for subsequent connections. This approach minimizes the risk of downtime because the application can continue to use the currently active credentials while the other set is being rotated. It also ensures that credentials are regularly updated, enhancing security without disrupting database access.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_rotation-alternating.html#:~:text=This%20strategy%20is%20a%20good%20choice%20if%20you%20need%20high%20availability%20for%20your%20secret%2C%20because%20one%20of%20the%20alternating%20users%20has%20current%20credentials%20to%20the%20database%20while%20the%20other%20one%20is%20being%20updated.%20For%20more

Both B and D options involve using the alternating users rotation strategy, which is suitable for ensuring high availability and no downtime during secret rotation. The difference between "managed rotation" and "automatic rotation" is mostly semantic in this context, as both terms refer to the capability of AWS Secrets Manager to automatically rotate the secret. The more common terminology used in the context of AWS Secrets Manager is "managed rotation," so option B is often preferred.