DBS-C01 · Question #30
DBS-C01 Question #30: Real Exam Question with Answer & Explanation
The correct answer is C: Use the secretsmanager dynamic reference to retrieve the master password stored in AWS. Explanation Using AWS Secrets Manager with CloudFormation dynamic references (secretsmanager) is the most secure solution because it keeps the password completely out of CloudFormation templates and code repositories, supports automatic rotation (natively integrating with Aurora
Question
A company is developing a multi-tier web application hosted on AWS using Amazon Aurora as the database. The application needs to be deployed to production and other non-production environments. A Database Specialist needs to specify different MasterUsername and MasterUserPassword properties in the AWS CloudFormation templates used for automated deployment. The CloudFormation templates are version controlled in the company's code repository. The company also needs to meet compliance requirement by routinely rotating its database master password for production. What is most secure solution to store the master password?
Options
- AStore the master password in a parameter file in each environment. Reference the environment-
- BEncrypt the master password using an AWS KMS key. Store the encrypted master password in
- CUse the secretsmanager dynamic reference to retrieve the master password stored in AWS
- DUse the ssm dynamic reference to retrieve the master password stored in the AWS Systems
Explanation
Explanation
Using AWS Secrets Manager with CloudFormation dynamic references (secretsmanager) is the most secure solution because it keeps the password completely out of CloudFormation templates and code repositories, supports automatic rotation (natively integrating with Aurora to rotate credentials on a schedule), and encrypts secrets using AWS KMS - directly satisfying both the separation-of-secrets and compliance rotation requirements.
Why the distractors are wrong:
- Option A is insecure because storing passwords in parameter files - even per-environment - risks exposing credentials in the version-controlled code repository.
- Option B storing KMS-encrypted passwords in CloudFormation templates still embeds the encrypted value in version-controlled code, and does not provide automatic rotation.
- Option D uses AWS Systems Manager Parameter Store, which can store secrets securely, but SSM Parameter Store does not natively support automatic database password rotation the way Secrets Manager does, failing the compliance requirement.
Memory Tip: Think "Secrets Manager = Rotation" - whenever an exam question mentions compliance, routine rotation, or database credentials, Secrets Manager is almost always the answer over SSM Parameter Store, because rotation is its defining differentiator. If you see "rotate," think "Secrets Manager."
Topics
Community Discussion
No community discussion yet for this question.