Learn how to secure and automatically rotate Amazon RDS database credentials using AWS CloudFormation, ensuring the highest level of security and compliance for your AWS infrastructure.
Table of Contents
Question
A SysOps administrator needs to secure the credentials for an Amazon RDS database that is created by an AWS CloudFormation template. The solution must encrypt the credentials and must support automatic rotation.
Which solution will meet these requirements?
A. Create an AWS::SecretsManager::Secret resource in the CloudF ormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.
B. Create an AWS::SecretsManager::Secret resource in the CloudFormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:ssm-secure dynamic reference.
C. Create an AWS::SSM::Parameter resource in he CloudFormation template. Reference the credentias in the AWS::RDS::DBInstance resource by using the resolve:ssm dynamic reference.
D. Create parameters for the database credentials in the CloudFormation template. Use the Ref intrinsic function to provide the credentials to the AWS::RDS::DBInstance resource.
Answer
A. Create an AWS::SecretsManager::Secret resource in the CloudF ormation template. Reference the credentials in the AWS::RDS::DBInstance resource by using the resolve:secretsmanager dynamic reference.
Explanation
By using an AWS::SecretsManager::Secret resource, you can securely store and manage the database credentials, and the resolve:secretsmanager dynamic reference will allow you to reference the credentials in the AWS::RDS::DBInstance resource. This solution supports automatic rotation of the credentials, ensuring the highest level of security and compliance for your AWS infrastructure.
Option B is incorrect because the resolve:ssm-secure dynamic reference is only available in AWS CloudFormation 2.0 and later versions, and the question specifies that the solution must support automatic rotation.
Option C is incorrect because an AWS::SSM::Parameter resource is not the appropriate resource type for storing database credentials.
Option D is incorrect because the Ref intrinsic function is not the appropriate function for referencing the database credentials in the AWS::RDS::DBInstance resource.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.