Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 86 discussion

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

B. SSM OpsCenter is primarily used for managing and resolving operational issues. It is not designed to securely store and manage credentials like AWS Secrets Manager. C. Storing credentials in an S3 bucket may provide some level of security, but it lacks the additional features and security controls offered by AWS Secrets Manager. D. While using KMS for encryption is a good practice, managing credentials directly on the web server file system can introduce complexities and potential security risks. It can be challenging to securely manage and rotate credentials across multiple web servers, especially when considering scalability and automation. In summary, option A is the recommended solution as it leverages AWS Secrets Manager, which is purpose-built for securely storing and managing secrets, and provides the necessary IAM permissions to allow the web servers to access the credentials securely.

Rotate Key ===> Secrets Manager

AWS Secret's Manager is the most suitable option here as it provides rotation of credentials using Lambda.

Ans A - Secrets Manager, auto rotates...

A is the right answer, you should never store any of your credentials in files, even if they are encrypted. Also, secrets manager fulfills the credentials rotation condition.

While I agree that A is the most feasible answer, I don't see how it satisfies the "a secure method for the web servers to connect to the database" requirement. ASM is about securely storing and rotating secrets, but has nothing to do with "secure connection" between the web servers and RDS. That would require something like IAM DB authentication, which is not even mentioned.

rotation = SM

AWS Secrets Manager is best for storing credentials and supports auto rotation so A is the best choice

A = Rotation of user credentials can be automated using Secrets Manager.

option A is the recommended solution as it leverages AWS Secrets Manager, which is purpose-built for securely storing and managing secrets, and provides the necessary IAM permissions to allow the web servers to access the credentials securely.

AWS Secrets Manager to the rescue....up up and awaaaay

The correct answer is A. Here is the explanation: AWS Secrets Manager is a service that helps you store, manage, and rotate secrets. Secrets Manager is a good choice for storing database user credentials because it is secure and scalable. IAM permissions can be used to grant web servers access to AWS Secrets Manager. This will allow the web servers to retrieve the database user credentials from Secrets Manager and use them to connect to the database. Rotation of user credentials can be automated using Secrets Manager. This will ensure that the database user credentials are rotated on a regular basis, meeting the security requirement.

Option A is ans.

A is correct

literally screams for AWS secrets manager to rotate the credentails

***CORRECT*** Option A. Store the database user credentials in AWS Secrets Manager. Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager. Option A is correct because it meets the requirements specified in the question: a secure method for the web servers to connect to the database while meeting a security requirement to rotate user credentials frequently. AWS Secrets Manager is designed specifically to store and manage secrets like database credentials, and it provides an automated way to rotate secrets every time they are used, ensuring that the secrets are always fresh and secure. This makes it a good choice for storing and managing the database user credentials in a secure way.