AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct strategy is to use AWS Secrets Manager. Secrets Manager is a purpose-built AWS service for managing the lifecycle of secrets, including credentials, API keys, and other tokens. It natively supports automatic rotation for services like Amazon RDS, which directly meets the 30-day rotation requirement for the PostgreSQL database without custom scripting. Secrets Manager provides fine-grained access control using IAM policies and resource-based policies, which facilitates secure cross-account access for the CI/CD pipeline. All API calls to Secrets Manager are logged in AWS CloudTrail, providing the detailed auditing required.

Using AWS Systems Manager (SSM) Parameter Store with advanced-tier parameters is a plausible but less optimal choice. While it can store secrets and supports cross-account sharing, it does not offer built-in, automated rotation for RDS in the same way Secrets Manager does; rotation with SSM typically requires creating and managing a custom AWS Lambda function.

Storing encrypted secret files in an Amazon S3 bucket with AWS KMS requires significant custom development. The team would need to build and maintain the logic for encryption, decryption, access control, and a custom solution for rotation, which increases operational overhead and complexity compared to a managed service like Secrets Manager.

Hosting HashiCorp Vault on Amazon EC2 is a powerful solution but contradicts the requirement to minimize operational overhead. This approach requires the company to manage the installation, high availability, patching, and maintenance of the Vault cluster and its underlying infrastructure, whereas AWS Secrets Manager is a fully managed service.