AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company operates in a multi-account AWS environment managed by AWS Organizations. Microservices that run in 12 application accounts must retrieve Amazon RDS for PostgreSQL credentials that are stored in a separate security account. Compliance mandates require that the credentials be encrypted at rest with a customer-managed AWS KMS key, rotated automatically every 30 days, accessed only through fine-grained IAM permissions, and fully logged in AWS CloudTrail. Operations teams want to minimize the amount of code and infrastructure that must be deployed in the application accounts while keeping audit visibility centralized.
Which solution most effectively satisfies these requirements?
Store the credentials as SecureString advanced parameters in AWS Systems Manager Parameter Store in the security account, attach cross-account resource policies, and run a Lambda function in each application account to rotate the parameters every 30 days.
Deploy a HashiCorp Vault cluster on Amazon EC2 instances in every application account, configure Vault's database secrets engine to generate 30-day credentials, and stream Vault audit logs to Amazon CloudWatch Logs in the security account.
Create one AWS Secrets Manager secret per database in the security account, encrypt each secret with a customer-managed KMS key, enable the AWS-provided PostgreSQL rotation Lambda to rotate the secret every 30 days, and grant application-account IAM roles cross-account access by using a resource-based policy.
Store each credential in an encrypted object in an Amazon S3 bucket in the security account, grant GetObject permissions to application-account IAM roles, and schedule an AWS CodeBuild project to overwrite each object with new credentials every 30 days.