AWS Certified Solutions Architect Professional SAP-C02 Practice Question
In a multi-account AWS environment, your organization keeps all sensitive data in a dedicated security account. Several microservices that run in development, test, and production accounts need to obtain a PostgreSQL user name and password at runtime. Compliance states that the secret must remain in the security account, rotate automatically every 30 days with no downtime, be retrieved across accounts using least-privilege IAM policies, and produce a detailed audit trail for every read. The operations team wants the simplest managed solution with minimal custom code. Which design meets these requirements?
Bake the credentials into each microservice's Amazon ECS task definition as container secrets and trigger a monthly CodePipeline rebuild to supply updated values.
Create a SecureString parameter in AWS Systems Manager Parameter Store in the security account, configure an EventBridge rule to invoke a custom Lambda function that rotates the parameter every 30 days and copies the new value to each account.
Store the credentials as a secret in AWS Secrets Manager in the security account, configure a built-in Lambda rotation function for 30-day rotation, attach a resource-based policy that grants each application role GetSecretValue access, and rely on AWS CloudTrail for auditing.
Encrypt the credentials with a customer-managed AWS KMS key, upload the encrypted file to an Amazon S3 bucket in the security account, and run a daily AWS Batch job in every account to download and decrypt the file when the service starts.
AWS Secrets Manager is purpose-built for centrally storing, automatically rotating, and auditing access to secrets. A secret can be created once in the security account, encrypted with a customer-managed KMS key, and shared with application IAM roles in other accounts through a resource-based policy that grants only GetSecretValue. Secrets Manager provides a managed Lambda rotation function that updates the secret on a fixed schedule without requiring service downtime, and every API call is recorded in AWS CloudTrail for audit.
Systems Manager Parameter Store SecureString parameters can be encrypted and shared, but they do not include built-in rotation; implementing rotation and cross-account replication would require custom Lambda and EventBridge automation. Storing encrypted files in Amazon S3 and distributing them with AWS Batch adds manual rotation effort and increases the attack surface. Embedding credentials in each ECS task definition forces monthly image rebuilds, violates the single-source-of-truth requirement, and risks accidental exposure in container metadata. Therefore the Secrets Manager design is the only option that satisfies all operational, security, and compliance requirements with minimal custom code.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of AWS Secrets Manager, and why is it recommended for this multi-account setup?
Open an interactive chat with Bash
How does the built-in Lambda rotation function in AWS Secrets Manager ensure no downtime during credential rotation?
Open an interactive chat with Bash
What advantages does AWS Secrets Manager offer over Systems Manager Parameter Store for secrets management?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access