An enterprise wants to centrally manage and automate the rotation of database credentials for Amazon RDS instances across 50 AWS accounts. The solution must ensure that applications can retrieve the latest credentials without code changes. Which approach is MOST architecturally sound?

Answer options:

A.

Use AWS Systems Manager Parameter Store in each account. Use EventBridge to trigger Lambda for rotation.

B.

Use AWS Secrets Manager in a central account. Configure cross-account resource policies on the secrets. Use AWS Lambda for rotation.

C.

Store credentials in an encrypted Amazon S3 bucket. Use S3 Object Lock to prevent tampering.

D.

Use AWS KMS to encrypt credentials in application code. Rotate the KMS keys annually.

How to approach this question

Identify the service designed specifically for secret rotation and cross-account access.

B.Use AWS Secrets Manager in a central account. Configure cross-account resource policies on the secrets. Use AWS Lambda for rotation.✓ Correct

AWS Secrets Manager natively supports automated rotation of RDS credentials and allows cross-account access via resource-based policies.

Choosing Parameter Store, which lacks native rotation and cross-account resource policies.

75 questions · hints · full answers · grading