Question
A solutions architect needs to improve an application that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application’s operations insert records into the database. The application currently stores credentials in a text-based configuration file.
The solutions architect needs to implement a solution so that the application can handle the current connection load. The solution must keep the credentials secure and must provide the ability to rotate the credentials automatically on a regular basis.
Which solution will meet these requirements?
A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store
C. Create an Aurora Replica. Store the connection credentials as a secret in AWS Secrets Manager
D. Create an Aurora Replica. Store the connection credentials in AWS Systems Manager Parameter Store.
Answer
A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Explanation 1
The solution that will meet the requirements is Option A. Deploying an Amazon RDS Proxy layer in front of the DB instance and storing the connection credentials as a secret in AWS Secrets Manager will allow the application to handle the current connection load while keeping the credentials secure and providing the ability to rotate the credentials automatically on a regular basis.
Amazon RDS Proxy is a fully managed database proxy that makes applications more scalable, more resilient to database failures, and more secure. It can handle unpredictable surges in database traffic and establishes a database connection pool and reuses connections in this pool.
AWS Secrets Manager enables you to store and retrieve secrets such as database credentials, passwords, or API keys throughout their lifecycle. It can rotate secrets automatically, which can help you meet your security and compliance needs.
Explanation 2
The correct answer is A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Here are the reasons why this solution is the best fit:
- Amazon RDS Proxy is a fully managed service that provides a secure, scalable, and highly available way to access Amazon RDS databases. It can be used to improve the performance and scalability of applications that access Amazon RDS databases.
- AWS Secrets Manager is a service that helps you securely store, manage, and rotate secrets. Secrets Manager can be used to store the connection credentials for the Amazon RDS Proxy.
The other options are not as good a fit for this solution:
- Creating an Aurora Replica would not improve the performance or scalability of the application. In fact, it could make the application slower, because the replica would need to be synchronized with the primary instance.
- Storing the connection credentials in AWS Systems Manager Parameter Store is not as secure as storing them in AWS Secrets Manager. AWS Secrets Manager uses encryption to protect secrets, while AWS Systems Manager Parameter Store does not.
Explanation 3
The solution that will meet the requirements is A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Amazon RDS Proxy is a fully managed, highly available database proxy that uses connection pooling to share database connections securely and efficiently. It can handle unpredictable surges in the database traffic that creates new connections at a fast rate. The proxy is an intermediary layer that sits between a database and an application. The application establishes a connection to the proxy, which then routes connections to the database.
Storing the connection credentials as a secret in AWS Secrets Manager will keep the credentials secure and provide the ability to rotate the credentials automatically on a regular basis. Secrets Manager offers built-in integrations for MySQL, PostgreSQL, and Amazon Aurora on Amazon RDS, and can rotate credentials for these databases natively. You can control access to your secrets by using fine-grained AWS Identity and Access Management (IAM) policies.
Explanation 4
A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Explanation:
The solutions architect needs to address two main issues: the overloaded connections on the database and the secure storage and rotation of credentials.
Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure. By deploying an Amazon RDS Proxy layer in front of the DB instance, the solutions architect can help manage and handle the current connection load, efficiently distributing the traffic and improving the overall performance of the application.
To address the requirement of secure storage and rotation of credentials, AWS Secrets Manager is the ideal service to use. AWS Secrets Manager helps you protect access to your applications, services, and IT resources without upfront investment or on-going maintenance costs. This service enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. By storing the connection credentials as a secret in AWS Secrets Manager, the solutions architect can ensure that the credentials are secure and can be rotated automatically on a regular basis.
The other options do not fully address both the overloaded connections and the secure storage and rotation of credentials. Options B and D involve using AWS Systems Manager Parameter Store for storing credentials, which does not provide automatic rotation of credentials. Option C and D suggest creating an Aurora Replica, which can help with read-heavy workloads but does not directly address the issue of overloaded connections for write-heavy workloads, such as the mentioned application that mainly inserts records into the database.
Explanation 5
The question you asked is about how to improve an application that is hosted in the AWS Cloud that uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application’s operations insert records into the database. The application currently stores credentials in a text-based configuration file. You must implement a solution that can handle the current connection load, keep the credentials secure, and rotate the credentials automatically on a regular basis. The solution that will meet these requirements is A. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Amazon RDS Proxy is a fully managed database proxy service that sits between your application and your RDS database instance. It allows you to pool and share database connections among multiple application instances or containers, reducing connection overhead and improving performance and scalability. It also supports automatic failover to a standby instance in case of a primary instance failure.
AWS Secrets Manager is a fully managed service that helps you protect access to your applications, services, and IT resources by securely storing and rotating secrets such as database credentials, API keys, or passwords. You can use Secrets Manager to create and manage secrets for your RDS database instances or clusters and automatically rotate them according to a schedule or an event.
By using RDS Proxy and Secrets Manager, you can improve your application’s performance and security by reducing connection overhead, increasing connection reuse, enhancing availability, and protecting your credentials from unauthorized access or leakage. You can reference the connection credentials as a secret in Secrets Manager and use an IAM role to grant access to the secret from your application.
The other options are not correct because:
B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store. This option is not correct because AWS Systems Manager Parameter Store does not support automatic rotation of secrets. Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. You can use Parameter Store to store plain text or encrypted data such as passwords, database strings, or license codes as parameter values.
C. Create an Aurora Replica. Store the connection credentials as a secret in AWS Secrets Manager. This option is not correct because creating an Aurora Replica does not address the connection overhead issue. An Aurora Replica is a read-only copy of your Aurora DB cluster that shares the same underlying storage as the primary instance. You can use Aurora Replicas to scale out read operations and enhance availability for your Aurora DB cluster.
D. Create an Aurora Replica. Store the connection credentials in AWS Systems Manager Parameter Store. This option is not correct because creating an Aurora Replica does not address the connection overhead issue and using Parameter Store does not support automatic rotation of secrets.
Explanation 6
The correct answer is A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Here are the reasons why this solution is the best fit:
- Amazon RDS Proxy is a fully managed service that can be used to improve the performance and security of applications that connect to Amazon RDS databases.
- AWS Secrets Manager is a service that can be used to securely store and manage secrets, such as database credentials.
By deploying an Amazon RDS Proxy in front of the DB instance and storing the connection credentials in AWS Secrets Manager, the solutions architect can improve the performance and security of the application. The Amazon RDS Proxy will handle the initial connection requests and then forward the requests to the DB instance. This will reduce the load on the DB instance and improve the performance of the application. The connection credentials will be stored in AWS Secrets Manager, which is a secure service that can be used to manage secrets. This will help to keep the credentials secure and prevent unauthorized access to the DB instance.
The other options are not as good a fit for this solution:
- Create an Aurora Replica. This would not improve the performance of the application, and it would not help to keep the credentials secure.
- Store the connection credentials in AWS Systems Manager Parameter Store. This is not as secure as storing the credentials in AWS Secrets Manager.
Explanation 7
To improve an application hosted in the AWS Cloud that is experiencing overloaded connections to an Amazon Aurora MySQL DB instance, while also ensuring secure storage of credentials and the ability to rotate them automatically, the recommended solution is:
A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Amazon RDS Proxy is a fully managed database proxy service provided by AWS. It helps applications scale and manage database connections by pooling and reusing them, which can significantly improve connection management and reduce the load on the database. In this scenario, deploying an Amazon RDS Proxy layer will help handle the current connection load.
Storing the connection credentials as a secret in AWS Secrets Manager ensures that the credentials are securely managed. AWS Secrets Manager provides a secure and centralized location for storing and managing secrets such as database credentials, API keys, and other sensitive information. By using Secrets Manager, you can securely store and retrieve the database connection credentials.
The combination of Amazon RDS Proxy and AWS Secrets Manager allows for secure and efficient connection management while ensuring that the credentials are protected. Furthermore, AWS Secrets Manager provides the ability to rotate the credentials automatically on a regular basis, which helps improve security by regularly changing the credentials without requiring manual intervention.
Option B suggests storing the connection credentials in AWS Systems Manager Parameter Store. While Parameter Store is a valid service for storing configuration data, it does not provide the built-in security features and automatic credential rotation capabilities that are available with AWS Secrets Manager.
Option C suggests creating an Aurora Replica. While creating a replica can help distribute the load and improve scalability, it does not directly address the overloaded connections issue. Additionally, it does not provide the necessary features for secure credential storage and automatic rotation.
Option D suggests storing the connection credentials in AWS Systems Manager Parameter Store. As mentioned earlier, Parameter Store does not provide the same level of security features and credential rotation capabilities as AWS Secrets Manager.
In summary, to handle the current connection load, ensure secure storage of credentials, and enable automatic rotation of credentials, the recommended solution is to deploy an Amazon RDS Proxy layer in front of the DB instance and store the connection credentials as a secret in AWS Secrets Manager (option A).
Explanation 8
The correct answer is A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
Here are the reasons why this solution is the best fit:
- Amazon RDS Proxy is a fully managed service that can be used to improve the performance and scalability of applications that access Amazon RDS databases.
- AWS Secrets Manager is a fully managed service that can be used to securely store and manage secrets, such as database credentials.
By deploying an Amazon RDS Proxy in front of the Amazon Aurora MySQL DB instance and storing the connection credentials in AWS Secrets Manager, the solutions architect can improve the performance and scalability of the application while also keeping the credentials secure.
The other options are not as good a fit for this solution:
- Creating an Aurora Replica would not improve the performance or scalability of the application. In fact, it could actually make the application slower, because the replica would need to be updated whenever the primary database is updated.
- Storing the connection credentials in AWS Systems Manager Parameter Store is not as secure as storing them in AWS Secrets Manager. AWS Secrets Manager uses encryption and rotation to keep secrets secure, while AWS Systems Manager Parameter Store does not.
Explanation 9
The correct answer is A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager. Here is a detailed explanation:
Amazon RDS Proxy is a fully managed database proxy that sits between the application and the database. It allows the application to pool and share database connections, reducing the overhead of opening and closing connections. This improves the performance and scalability of the application, especially when it has a high volume of insert operations.
AWS Secrets Manager is a service that helps to securely store and manage secrets, such as database credentials, API keys, or passwords. It also enables automatic rotation of secrets according to a specified schedule or event. By storing the connection credentials as a secret in AWS Secrets Manager, the application can retrieve them securely without exposing them in a text-based configuration file. This also simplifies the process of rotating the credentials regularly.
The other options are incorrect because:
B. AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for configuration data and secrets. However, it does not support automatic rotation of secrets like AWS Secrets Manager does. Therefore, this option does not meet the requirement of rotating the credentials automatically on a regular basis.
C. Creating an Aurora Replica is a way to scale out read operations for an Aurora DB cluster. However, it does not help with handling the overloaded connections for insert operations. Moreover, storing the connection credentials as a secret in AWS Secrets Manager does not provide any benefit if the application does not use Amazon RDS Proxy to access the database.
D. Creating an Aurora Replica and storing the connection credentials in AWS Systems Manager Parameter Store have the same drawbacks as option C and B respectively.
Explanation 10
A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
An Amazon RDS Proxy layer can help manage and distribute the connection load on the Aurora MySQL DB instance, making it more efficient in handling a high number of connections. By deploying an RDS Proxy, you can reduce the overhead on the database instance and improve its ability to handle a large number of connections.
AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without upfront investment or on-going maintenance costs. It enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. By storing the connection credentials as a secret in AWS Secrets Manager, the credentials will be secure, and you can configure automatic rotation of the credentials on a regular basis.
Option A is the best solution, as it addresses both the connection load issue and the secure storage and rotation of credentials. Options B, C, and D do not provide a complete solution to the problem. Storing credentials in AWS Systems Manager Parameter Store (Options B and D) does not provide automatic rotation of credentials. Creating an Aurora Replica (Options C and D) does not address the issue of overloaded connections, as it primarily helps in distributing read traffic, while the application mainly performs insert operations.
Reference
- Rotate Amazon RDS database credentials automatically with AWS Secrets Manager | AWS Security Blog
- Using Amazon RDS Proxy – Amazon Relational Database Service
- Getting started with RDS Proxy – Amazon Relational Database Service
- Database authentication with Amazon Aurora – Amazon Aurora
- Security with Amazon Aurora MySQL – Amazon Aurora
- Connecting to an Amazon Aurora DB cluster – Amazon Aurora
- Replication with Amazon Aurora – Amazon Aurora
- Resolve “Too Many Connections” error when connecting to Amazon Aurora MySQL instance | AWS re:Post (repost.aws)
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.
