Amazon SAP-C02: Keep credential secure and rotate automatically

Question

A solutions architect needs to improve an application that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application’s operations insert records into the database. The application currently stores credentials in a text-based configuration file.

The solutions architect needs to implement a solution so that the application can handle the current connection load. The solution must keep the credentials secure and must provide the ability to rotate the credentials automatically on a regular basis. Which solution will meet these requirements?

A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store
C. Create an Aurora Replica. Store the connection credentials as a secret in AWS Secrets Manager
D. Create an Aurora Replica. Store the connection credentials in AWS Systems Manager Parameter Store.

Answer

A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.

Explanation

A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.

Explanation:

The solutions architect needs to address two main issues: the overloaded connections on the database and the secure storage and rotation of credentials.

Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure. By deploying an Amazon RDS Proxy layer in front of the DB instance, the solutions architect can help manage and handle the current connection load, efficiently distributing the traffic and improving the overall performance of the application.

To address the requirement of secure storage and rotation of credentials, AWS Secrets Manager is the ideal service to use. AWS Secrets Manager helps you protect access to your applications, services, and IT resources without upfront investment or on-going maintenance costs. This service enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. By storing the connection credentials as a secret in AWS Secrets Manager, the solutions architect can ensure that the credentials are secure and can be rotated automatically on a regular basis.

The other options are not correct because:

B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store. This option is not correct because AWS Systems Manager Parameter Store does not support automatic rotation of secrets. Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. You can use Parameter Store to store plain text or encrypted data such as passwords, database strings, or license codes as parameter values.

C. Create an Aurora Replica. Store the connection credentials as a secret in AWS Secrets Manager. This option is not correct because creating an Aurora Replica does not address the connection overhead issue. An Aurora Replica is a read-only copy of your Aurora DB cluster that shares the same underlying storage as the primary instance. You can use Aurora Replicas to scale out read operations and enhance availability for your Aurora DB cluster.

D. Create an Aurora Replica. Store the connection credentials in AWS Systems Manager Parameter Store. This option is not correct because creating an Aurora Replica does not address the connection overhead issue and using Parameter Store does not support automatic rotation of secrets.

In summary, to handle the current connection load, ensure secure storage of credentials, and enable automatic rotation of credentials, the recommended solution is to deploy an Amazon RDS Proxy layer in front of the DB instance and store the connection credentials as a secret in AWS Secrets Manager (option A).

Reference

• Rotate Amazon RDS database credentials automatically with AWS Secrets Manager | AWS Security Blog
• Using Amazon RDS Proxy – Amazon Relational Database Service
• Getting started with RDS Proxy – Amazon Relational Database Service
• Database authentication with Amazon Aurora – Amazon Aurora
• Security with Amazon Aurora MySQL – Amazon Aurora
• Connecting to an Amazon Aurora DB cluster – Amazon Aurora
• Replication with Amazon Aurora – Amazon Aurora
• Resolve “Too Many Connections” error when connecting to Amazon Aurora MySQL instance | AWS re:Post (repost.aws)

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.