Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 339 discussion

Parameter Store does not provide automatic credential rotation.

C. Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager. https://www.examtopics.com/discussions/amazon/view/46483-exam-aws-certified-solutions-architect-associate-saa-c02/

Management says the application must be made more secure with the least amount of programming effort. IMHO, this will rule out Lambda for this STEM.

credentials from Secrets Manager...

question is asking for "more secure with the least amount of programming effort." = Secrets Manager + Secretes Manager's built in rotation schedule instead of Lambda.

A KMS is for encryption keys specifically so this is a long way of doing the credentials storage B is too much work for rotation C exactly what secrets manager is designed for D You can do that if C wasn't an option

Store the RDS credentials in Secrets Manager Configure the application to retrieve the credentials from Secrets Manager Use Secrets Manager's built-in rotation to rotate the RDS credentials automatically

Secrets Manager can handle the rotation, so no need for Lambda to rotate the keys.

WHY NOT B ?

B, we need lambda for password rotation, confirmed!

If you need your DB to store credentials then use AWS Secret Manager. System Manager Paramater Store is for CloudFormation (no rotation)

why it's not A?

https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/

C is a valid solution for securing the custom application with the least amount of programming effort. It involves creating credentials on the RDS for MySQL database for the application user and storing them in AWS Secrets Manager. The application can then be configured to load the database credentials from Secrets Manager. Additionally, the solution includes setting up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager, which will automatically rotate the credentials at a specified interval without requiring any programming effort.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_database_secret.html

Answer - C https://ws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/