Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 11 discussion

B is wrong because parameter store does not support auto rotation, unless the customer writes it themselves, A is the answer.

Option A: Using AWS Secrets Manager and enabling automatic rotation is the recommended solution for minimizing the operational overhead of credential management. AWS Secrets Manager provides a secure and centralized service for storing and managing secrets, such as database credentials. By leveraging Secrets Manager, the application can retrieve the database credentials programmatically at runtime, eliminating the need to store them locally in a file. Enabling automatic rotation ensures that the database credentials are regularly rotated without manual intervention, enhancing security and compliance.

This is an ideal solution. Secrets Manager can rotate credentials automatically and ensures that the EC2 instances retrieve the most recent credentials securely.

Option A, using AWS Secrets Manager and turning on automatic rotation, would be the best solution to minimize the operational overhead of credential management. AWS Secrets Manager is a service that makes it easier to manage secrets, such as database credentials, by storing and rotating them automatically. By turning on automatic rotation, you can ensure that the secrets are regularly rotated, reducing the risk of unauthorized access to the database. This would minimize the operational overhead of credential management, as you would not have to manually rotate the secrets or update the EC2 instances with the new credentials.

A: READ!!! AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. It says SSM Parameter store cant rotate automatically.

Everybody here voting A, but only the master user's password of the Aurora database can be automatically stored and rotated. Who uses the master user's credentials in their application ? It looks to me like a serious security issue... Moreover answer A is not complete, missing steps are: - create IAM role to get secret - assign IAM role to EC2 instance - adapt the application to retrieve the secret from Secrets Manager instead of erading the file - make sure retrieval occurs every week I dont' call that minimizing operational overhead... Answer D is a lot more simple. In a real situation, none of these answers are relevant.

Option A , because of leas overhead.

Parameter Store: Storing and managing a database connection string or API endpoint URL that doesn’t require frequent rotation. Secrets Manager: Storing and managing database credentials that need to be rotated regularly for security compliance.

Answer A is correct

Secrets Manager, as The Mandalorian would say "this is the way!"

SSM has no automatic rotation.

The most suitable option for minimizing operational overhead of credential management in this scenario is: B. Use AWS Systems Manager Parameter Store. Turn on automatic rotation. AWS Systems Manager Parameter Store is a service that helps you manage configuration data, including sensitive information such as passwords and database strings, in a central, secure store. With automatic rotation enabled, the credentials can be automatically updated at scheduled intervals, reducing the manual effort required for credential management.

Secret manager with auto rotation.

BCD are extremely high operational overhead and not secure like A

A is correct

B becasue the user wants reduce costs and SSM Parameter Store layer Standard is free and the type SecureString uses KMS

It should be "A."