A company has a Node.js function on an on-premises server that uses a PostgreSQL database and stores the connection string in an environment variable. The company will migrate the application to AWS Lambda, migrate the database to Amazon RDS for PostgreSQL, and securely manage database credentials with the least operational overhead. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Store the database credentials as a secret in AWS Secrets Manager. Configure Secrets Manager to automatically rotate the credentials every 30 days. Update the Lambda function to retrieve the credentials from the secret..
Why this is the answer
Storing database credentials in AWS Secrets Manager is the most secure and operationally efficient solution. Secrets Manager is designed specifically for managing, retrieving, and rotating database credentials, API keys, and other secrets. Its automatic rotation feature, including integration with RDS, minimizes manual intervention. The Lambda function can easily retrieve the credentials at runtime using the AWS SDK. Storing credentials in Systems Manager Parameter Store is possible but lacks the built-in automatic rotation capabilities for database credentials that Secrets Manager offers, requiring more operational overhead for rotation. Encrypted Lambda environment variables are less secure for sensitive data like database credentials, as they don't offer automatic rotation, and a custom rotation function increases complexity and maintenance. AWS KMS is a key management service, not a secret storage service; it encrypts data but doesn't store the credentials themselves or provide automatic rotation for database credentials.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed