Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 11 discussion

B is wrong because parameter store does not support auto rotation, unless the customer writes it themselves, A is the answer.

Option A: Using AWS Secrets Manager and enabling automatic rotation is the recommended solution for minimizing the operational overhead of credential management. AWS Secrets Manager provides a secure and centralized service for storing and managing secrets, such as database credentials. By leveraging Secrets Manager, the application can retrieve the database credentials programmatically at runtime, eliminating the need to store them locally in a file. Enabling automatic rotation ensures that the database credentials are regularly rotated without manual intervention, enhancing security and compliance.

AWS Secrets Manager is a service that helps users manage, rotate, and retrieve secrets for applications, services, and IT resources. It can be used to secure secrets for AWS Cloud, third-party services, and on-premises -Automatic rotation: Secrets can be automatically rotated

AWS Secrets Manager: Is a managed service specifically designed to securely store and retrieve secrets, such as database credentials, API keys, and SSH keys. Provides features like automatic rotation, which helps to reduce the risk of compromised credentials. Integrates seamlessly with many AWS services, including Amazon RDS (which Aurora is a part of).

Answer is A https://aws.amazon.com/cn/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/ https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/

This is an ideal solution. Secrets Manager can rotate credentials automatically and ensures that the EC2 instances retrieve the most recent credentials securely.

Option A, using AWS Secrets Manager and turning on automatic rotation, would be the best solution to minimize the operational overhead of credential management. AWS Secrets Manager is a service that makes it easier to manage secrets, such as database credentials, by storing and rotating them automatically. By turning on automatic rotation, you can ensure that the secrets are regularly rotated, reducing the risk of unauthorized access to the database. This would minimize the operational overhead of credential management, as you would not have to manually rotate the secrets or update the EC2 instances with the new credentials.

A: READ!!! AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. It says SSM Parameter store cant rotate automatically.

Everybody here voting A, but only the master user's password of the Aurora database can be automatically stored and rotated. Who uses the master user's credentials in their application ? It looks to me like a serious security issue... Moreover answer A is not complete, missing steps are: - create IAM role to get secret - assign IAM role to EC2 instance - adapt the application to retrieve the secret from Secrets Manager instead of erading the file - make sure retrieval occurs every week I dont' call that minimizing operational overhead... Answer D is a lot more simple. In a real situation, none of these answers are relevant.

Option A , because of leas overhead.

Parameter Store: Storing and managing a database connection string or API endpoint URL that doesn’t require frequent rotation. Secrets Manager: Storing and managing database credentials that need to be rotated regularly for security compliance.

Answer A is correct

Secrets Manager, as The Mandalorian would say "this is the way!"

SSM has no automatic rotation.

The most suitable option for minimizing operational overhead of credential management in this scenario is: B. Use AWS Systems Manager Parameter Store. Turn on automatic rotation. AWS Systems Manager Parameter Store is a service that helps you manage configuration data, including sensitive information such as passwords and database strings, in a central, secure store. With automatic rotation enabled, the credentials can be automatically updated at scheduled intervals, reducing the manual effort required for credential management.

Secret manager with auto rotation.

BCD are extremely high operational overhead and not secure like A