AWS Certified Data Engineer Associate DEA-C01 Practice Question
A data engineering team manages a MySQL database hosted on Amazon RDS. Compliance requires that the application password be rotated automatically every 30 days without manual scripting. The analytics pipeline runs on AWS Lambda functions in the same account. Which approach meets the requirement while minimizing operational overhead?
Set the master password in Amazon RDS to the keyword AWS_ROTATE to enable automatic rotation and allow Lambda to read the password from the DB instance endpoint.
Encrypt the password with AWS KMS, save it in a Lambda environment variable, and update the variable manually through a CI/CD pipeline each month.
Store the password in AWS Secrets Manager, enable the built-in RDS MySQL rotation schedule, and grant the Lambda execution role permission to retrieve the secret.
Store the password in AWS Systems Manager Parameter Store as a SecureString and use an EventBridge rule to trigger a custom Lambda function to rotate it every 30 days.
AWS Secrets Manager offers a built-in rotation feature for Amazon RDS databases. Enabling a rotation schedule creates an AWS-managed Lambda function that updates the database password and stores the new value in the same secret, eliminating the need for custom scripts. The Lambda functions in the pipeline can fetch the current password at run time by using an execution role that has secretsmanager:GetSecretValue permission.
AWS Systems Manager Parameter Store SecureString cannot rotate credentials automatically; implementing rotation would require a custom rule and script. Storing a KMS-encrypted value in Lambda environment variables still requires a manual update process, and Amazon RDS does not support a keyword such as AWS_ROTATE to trigger automatic password changes. Therefore, using AWS Secrets Manager with built-in rotation is the only option that satisfies the 30-day rotation requirement with the least operational effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Secrets Manager?
Open an interactive chat with Bash
How does AWS Secrets Manager perform automatic rotation for RDS passwords?
Open an interactive chat with Bash
Why is AWS Systems Manager Parameter Store not suitable for automatic credential rotation?
Open an interactive chat with Bash
What is AWS Secrets Manager and how does it work for password rotation?
Open an interactive chat with Bash
How does the Lambda execution role interact with AWS Secrets Manager?
Open an interactive chat with Bash
Why is AWS Systems Manager Parameter Store not suitable for automatic password rotation?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .