CLF-C02 · Question #192
CLF-C02 Question #192: Real Exam Question with Answer & Explanation
The correct answer is D: Store passwords in AWS Secrets Manager.. AWS Secrets Manager (D) is purpose-built for securely storing, managing, and retrieving sensitive credentials like passwords. It provides automatic secret rotation, fine-grained IAM access controls, encryption at rest using AWS KMS, and full audit logging through CloudTrail - mak
Question
What is the MOST secure way to store passwords on AWS?
Options
- AStore passwords in an Amazon S3 bucket.
- BStore passwords as AWS CloudFormation parameters.
- CStore passwords in AWS Storage Gateway.
- DStore passwords in AWS Secrets Manager.
Explanation
AWS Secrets Manager (D) is purpose-built for securely storing, managing, and retrieving sensitive credentials like passwords. It provides automatic secret rotation, fine-grained IAM access controls, encryption at rest using AWS KMS, and full audit logging through CloudTrail - making it the gold standard for secrets management on AWS.
Why the other options fall short:
- A (S3): S3 is object storage designed for files and data, not credential management - passwords stored there lack built-in rotation and are easily exposed if bucket policies are misconfigured.
- B (CloudFormation parameters): While CloudFormation has a
NoEchooption to mask values in the console, parameters are not encrypted at rest and are not meant for long-term secrets storage. - C (Storage Gateway): This service is a hybrid storage bridge connecting on-premises environments to AWS storage - it has nothing to do with secrets or password management.
Memory Tip: Think of AWS Secrets Manager as a locked vault with a built-in key rotation service - if the question mentions passwords, credentials, or API keys needing secure storage + rotation, always think Secrets Manager. The word "secret" in the service name is your clue! 🔐
Topics
Community Discussion
No community discussion yet for this question.