DVA-C02: How to Store and Retrieve Credentials for AWS Lambda and Amazon RDS

Learn how to store and retrieve credentials for AWS Lambda and Amazon RDS using AWS Secrets Manager, AWS Systems Manager Parameter Store, or Amazon DynamoDB. Compare the pros and cons of each solution and find out which one has the least management overhead.

Question

A developer is creating an AWS Lambda function that needs credentials to connect to an Amazon RDS for MySQL database. An Amazon S3 bucket currently stores the credentials. The developer needs to improve the existing solution by implementing credential rotation and secure storage. The developer also needs to provide integration with the Lambda function.

Which solution should the developer use to store and retrieve the credentials with the LEAST management overhead?

A. Store the credentials in AWS Systems Manager Parameter Store. Select the database that the parameter will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the parameter. Enable automatic rotation for the parameter. Use the parameter from Parameter Store on the Lambda function to connect to the database.

B. Encrypt the credentials with the default AWS Key Management Service (AWS KMS) key. Store the credentials as environment variables for the Lambda function. Create a second Lambda function to generate new credentials and to rotate the credentials by updating the environment variables of the first Lambda function. Invoke the second Lambda function by using an Amazon EventBridge rule that runs on a schedule. Update the database to use the new credentials. On the first Lambda function, retrieve the credentials from the environment variables. Decrypt the credentials by using AWS KMS, Connect to the database.

C. Store the credentials in AWS Secrets Manager. Set the secret type to Credentials for Amazon RDS database. Select the database that the secret will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the secret. Enable automatic rotation for the secret. Use the secret from Secrets Manager on the Lambda function to connect to the database.

D. Encrypt the credentials by using AWS Key Management Service (AWS KMS). Store the credentials in an Amazon DynamoDB table. Create a second Lambda function to rotate the credentials. Invoke the second Lambda function by using an Amazon EventBridge rule that runs on a schedule. Update the DynamoDB table. Update the database to use the generated credentials. Retrieve the credentials from DynamoDB with the first Lambda function. Connect to the database.

Answer

C. Store the credentials in AWS Secrets Manager. Set the secret type to Credentials for Amazon RDS database. Select the database that the secret will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the secret. Enable automatic rotation for the secret. Use the secret from Secrets Manager on the Lambda function to connect to the database.

Explanation

The correct answer is C. Store the credentials in AWS Secrets Manager. Set the secret type to Credentials for Amazon RDS database. Select the database that the secret will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the secret. Enable automatic rotation for the secret. Use the secret from Secrets Manager on the Lambda function to connect to the database.

Here is an explanation of why this solution will meet the requirements with the least management overhead:

• The problem is that the developer is creating a Lambda function that needs credentials to connect to an RDS for MySQL database, and wants to improve the existing solution by implementing credential rotation and secure storage. Credential rotation is a process that changes the credentials periodically to reduce the risk of compromise or misuse. Secure storage is a method that protects the credentials from unauthorized access or exposure. The developer also needs to provide integration with the Lambda function, which means that the function can easily retrieve and use the credentials.
• To solve this problem, the developer needs to use a service that can store and manage credentials for RDS databases, and that can provide encryption, rotation, and integration features. Secrets Manager is a fully managed service that helps users protect secrets, such as database credentials, API keys, or passwords. It can store and retrieve secrets, encrypt them with KMS keys, rotate them automatically or on demand, and integrate them with other AWS services, such as Lambda functions.
• The solution that meets the requirements with the least management overhead is to store the credentials in Secrets Manager, and set the secret type to Credentials for Amazon RDS database. This way, Secrets Manager can generate and store a username and password pair for accessing the RDS database. The developer can select the database that the secret will access from a list of available databases in Secrets Manager console or CLI. The developer can also use the default KMS key to encrypt the secret, or choose a custom KMS key if needed.
• The developer can then enable automatic rotation for the secret, which means that Secrets Manager will change the credentials every 30 days by default, or at a custom interval specified by the developer. Secrets Manager will also update the RDS database with the new credentials, so that there is no downtime or disruption. The developer can also rotate the secret on demand by using Secrets Manager console or CLI.
• The developer can then use the secret from Secrets Manager on the Lambda function to connect to the database. The developer can use an AWS SDK or CLI to retrieve the secret value from Secrets Manager by using its name or ARN. The secret value will be a JSON object that contains the username and password pair for accessing the database. The developer can parse the JSON object and use the credentials to establish a connection with the database.
• This solution will meet the requirements with the least management overhead because it will enable the developer to store and retrieve credentials for RDS databases in a secure and scalable way, and to implement credential rotation and integration features with minimal code changes or configuration.

Therefore, option C is the correct solution that will meet the requirements with the least management overhead. Option A is incorrect because Systems Manager Parameter Store does not support automatic rotation for parameters that access RDS databases. Option B is incorrect because it will require creating and managing an EC2 instance, a second Lambda function, and an EventBridge rule, which will add more resources and costs to the application. Option D is incorrect because DynamoDB does not support encryption or rotation for data stored in its tables.

The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.