An application uses DocumentDB as its database.
The application development team wants to implement automatic rotation of database credentials.
How should the application team meet this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because AWS Secrets Manager can be used to store and automatically rotate database credentials securely.
Option B is incorrect because the System Manager Parameter Store cannot automatically rotate stored parameters.
Option C is incorrect because AWS KMS is used for storing cryptographic encryption keys.
Option D is incorrect because AWS KMS is used for storing cryptographic encryption keys.
Reference:
https://aws.amazon.com/blogs/security/how-to-rotate-amazon-documentdb-and-amazon-redshift-credentials-in-aws-secrets-manager/The correct answer to this question is A: Store credentials in AWS Secrets Manager. Update the application to retrieve the credentials. Enable secret rotation.
Explanation: AWS Secrets Manager is a service that allows you to securely store and manage secrets, such as database credentials, API keys, and other sensitive information. AWS Secrets Manager provides automatic rotation for secrets, which means that you can configure Secrets Manager to automatically update the credentials for a particular database at a specified interval.
In this scenario, the application development team wants to implement automatic rotation of database credentials. To meet this requirement, the team should use AWS Secrets Manager to store the credentials. The team should update the application code to retrieve the credentials from AWS Secrets Manager instead of hardcoding them in the application code. Once the credentials are stored in AWS Secrets Manager and the application code is updated, the team can enable secret rotation for the database credentials.
Option B suggests storing the credentials in System Manager Parameter Store, which is a similar service to AWS Secrets Manager but does not provide automatic secret rotation. Option C suggests storing the credentials in AWS KMS, which is a key management service that allows you to create and manage cryptographic keys. While AWS KMS can be used to encrypt secrets, it does not provide automatic secret rotation.
Option D suggests storing the credentials in AWS KMS and using an AWS Lambda function to rotate the credentials. While this approach can work, it requires more setup and maintenance than using AWS Secrets Manager. With AWS Secrets Manager, the secret rotation is fully managed by AWS, whereas with a custom Lambda function, the development team would need to maintain and update the function as needed.
In summary, the best approach to meet the application development team's requirement for automatic rotation of database credentials is to store the credentials in AWS Secrets Manager, update the application code to retrieve the credentials, and enable secret rotation.