Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 26 discussion

A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:
The database must use strong, randomly generated passwords stored in a secure AWS managed service.
The application resources must be deployed through AWS CloudFormation.
The application must rotate credentials for the database every 90 days.
A solutions architect will generate a CloudFormation template to deploy the application.
Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

  • A. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
  • B. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
  • C. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
  • D. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Untamables
Highly Voted 1 year, 10 months ago
Selected Answer: A
A https://docs.aws.amazon.com/secretsmanager/latest/userguide/cloudformation.html Option B is wrong. The ParameterStore::RotationSchedule resource does not exist in CloudFormation. Option C is wrong. It does not meet the requirement because it does not use CloudFormation. Option D is wrong. The AWS::AppSync::DataSource resource is what to create data sources for resolvers in AWS AppSync to connect to.
upvoted 17 times
OnePunchExam
1 year, 7 months ago
Agree with A but I want to nitpick on this reply "The ParameterStore::RotationSchedule resource does not exist in CloudFormation". It is technically more correct to say ParameterStore does not support automated rotation of secrets instead of saying ParameterStore::RotationSchedule is not supported by CF.
upvoted 9 times
...
...
karma4moksha
Highly Voted 1 year, 5 months ago
Ans A but answer is badly phrased. Why is the Lambda needed ? Refer docs: Some services offer managed rotation, where the service configures and manages rotation for you. With managed rotation, you don't use an AWS Lambda function to update the secret and the credentials in the database. The following services offer managed rotation: Amazon RDS offers managed rotation for master user credentials. For more information, see Password management with Amazon RDS and AWS Secrets Manager in the Amazon RDS User Guide.
upvoted 13 times
ftaws
9 months, 3 weeks ago
I agree with you. Secret Manager support to rotate credentials.
upvoted 3 times
...
...
amministrazione
Most Recent 2 months, 1 week ago
A. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
upvoted 1 times
...
MAZIADI
2 months, 3 weeks ago
Selected Answer: A
Secrets Manager ($$$): Automatic rotation of secrets with AWS Lambda // SSM Parameter Store ($): No secret rotation (can enable rotation using Lambda triggered by EventBridge) --> more overhead even if it is cheaper ==> Answer A
upvoted 1 times
...
ivarnarik1
6 months ago
Correct Answer: A Cloudformation template::systems manager has no resource called: RotationSchedule. where as Cloudformation template::secrets manager Indeed has a resource called: RotationSchedule. Therefore the correct answer is A only.
upvoted 1 times
...
gofavad926
7 months, 3 weeks ago
Selected Answer: A
A is the correct answer
upvoted 1 times
...
8608f25
9 months ago
Selected Answer: A
Option A is the most straightforward and provides the least amount of operational overhead because it leverages AWS Secrets Manager’s native capabilities for secret rotation. This eliminates the need for custom rotation logic or external triggers for rotation, unlike the other options that either rely on AWS Systems Manager Parameter Store (which does not have built-in secret rotation capabilities like Secrets Manager) or require additional resources such as Amazon EventBridge or AWS AppSync for triggering rotations, which complicates the architecture and increases operational overhead. Therefore, Option A is the correct choice as it directly addresses all the specified requirements using the intended features of AWS services, ensuring security and efficiency with minimal operational complexity.
upvoted 3 times
...
AimarLeo
9 months, 1 week ago
OK.. A ..but.. lambda to rotate for Secret Managers ? it does rotation natively ! why is that
upvoted 3 times
...
atirado
10 months, 3 weeks ago
Selected Answer: A
Option A - This option will work: This option takes advantage of the Automatic Rotation feature in Secrets Manager which reduces operational overhead during secret rotation, i.e. CloudTrail will show a secret was rotated Option B - This option will not work: Parameter Store does not have a feature called RotationSchedule Option C - This option might work but increases overhead: Rotation will be triggered on the 90 day schedule but more work will be necessary to validate the secret was rotated and tested, i.e. CloudTrail logs will only show a lambda function was triggered Option D - This option will not work: Parameter Store does not have a feature called RotationSchedule
upvoted 4 times
...
shaaam80
11 months, 1 week ago
Selected Answer: A
Answer A. Password rotation -> Secrets Manager
upvoted 1 times
...
whenthan
1 year, 2 months ago
Selected Answer: A
Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead? use https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html
upvoted 1 times
...
SK_Tyagi
1 year, 2 months ago
All - I feel the answer is A but why does it says Correct Answer "B" - What is the rationale behind B, can anyone explain. I am so confused??
upvoted 2 times
The answers shown as correct are almost never the right ones on these test dumps, just pay attention to what was most voted and the discussions in the comments
upvoted 4 times
...
...
chico2023
1 year, 3 months ago
Selected Answer: A
Answer: A
upvoted 1 times
...
NikkyDicky
1 year, 4 months ago
Selected Answer: A
it's n A
upvoted 1 times
...
rtguru
1 year, 5 months ago
A poorly phrased but seems to be the best option in this scenario
upvoted 1 times
...
gameoflove
1 year, 6 months ago
Selected Answer: A
AWS Secret Manager is the best option for Password safety and option fulfill all the requirement
upvoted 1 times
...
chiplyti
1 year, 6 months ago
Selected Answer: A
A correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...