SAA-C03 Question #609: Real Exam Question with Answer & Explanation

Question

A company hosts a multi-tier web application that uses an Amazon Aurora MySQL DB cluster for storage. The application tier is hosted on Amazon EC2 instances. The company's IT security guidelines mandate that the database credentials be encrypted and rotated every 14 days. What should a solutions architect do to meet this requirement with the LEAST operational effort?

Options

• ACreate a new AWS Key Management Service (AWS KMS) encryption key. Use AWS Secrets
• BCreate two parameters in AWS Systems Manager Parameter Store: one for the user name as a
• CStore a file that contains the credentials in an AWS Key Management Service (AWS KMS)
• DStore a file that contains the credentials in an AWS Key Management Service (AWS KMS)

Explanation

To meet the requirement of encrypting and rotating Amazon Aurora MySQL DB cluster credentials every 14 days with the least operational effort, a solutions architect should use AWS Secrets Manager with AWS KMS.

Common mistakes.

• B. AWS Systems Manager Parameter Store can store encrypted parameters but does not natively provide automatic rotation for database credentials, requiring custom scripting and increased operational effort.
• C. Storing credentials in a KMS-encrypted file in Amazon S3 would require custom logic for encryption, decryption, access management, and rotation, which is not the least operational effort.
• D. Storing credentials in a KMS-encrypted file on an Amazon EC2 instance requires manual management, secure distribution, and custom rotation logic, which significantly increases operational effort.

Concept tested. Secure secret management, database credential rotation, AWS Secrets Manager

Reference. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

No community discussion yet for this question.