ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 604 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 604
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A solutions architect is implementing infrastructure as code for a two-tier web application in an AWS CloudFormation template. The web frontend application will be deployed on Amazon EC2 instances in an Auto Scaling group. The backend database will be an Amazon RDS for MySQL DB instance. The database password will be rotated every 60 days.
How can the solutions architect MOST securely manage the configuration of the application's database credentials?

  • A. Provide the database password as a parameter in the CloudFormation template. Create an initialization script in the Auto Scaling group's launch configuration UserData property to reference the password parameter using the Ref intrinsic function. Store the password on the EC2 instances. Reference the parameter for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using the Ref intrinsic function.
  • B. Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Configure the application to retrieve the password from Secrets Manager when needed. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using a dynamic reference.
  • C. Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Create an initialization script in the Auto Scaling group's launch configuration UserData property to reference the secret resource using the Ref intrinsic function. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using the Ref intrinsic function.
  • D. Create a new AWS Systems Manager Parameter Store parameter in the CloudFormation template to be used as the database password. Create an initialization script in the Auto Scaling group's launch configuration UserData property to reference the parameter. Reference the parameter for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using the Fn::GetAtt intrinsic function.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Nemer at Aug. 12, 2020, 6:14 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nemer
Highly Voted 3 years, 9 months ago
B. https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_cloudformation.html
upvoted 23 times
...
SkyZeroZx
Most Recent 1 year, 11 months ago
Selected Answer: B
B. Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Configure the application to retrieve the password from Secrets Manager when needed. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using a dynamic reference.
upvoted 1 times
...
maxh8086
2 years, 5 months ago
Key : securely manage the configuration of the application's database credentials (not the create template for password rotation) https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds Updating a secret in Secrets Manager doesn't automatically update the secret in CloudFormation. In order for CloudFormation to update a secretsmanager dynamic reference, you must perform a stack update that updates the resource containing the dynamic reference, either by updating the resource property that contains the secretsmanager dynamic reference, or updating another of the resource's properties.
upvoted 1 times
maxh8086
2 years, 5 months ago
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html For example, suppose in your template you specify the MasterPassword property of an AWS::RDS::DBInstance resource to be a secretsmanager dynamic reference, and then create a stack from the template. You later update that secret's value in Secrets Manager, but don't update the AWS::RDS::DBInstance resource in your template. In this case, even if you perform a stack update, the secret value in the MasterPassword property isn't updated, and remains the previous secret value.
upvoted 1 times
maxh8086
2 years, 5 months ago
https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_RDSsecret.html i do not see parameteres defined under User Data property, rather i see Dynamic reference object under template - B
upvoted 1 times
...
...
...
bobsmith2000
3 years, 1 month ago
Selected Answer: B
B no-brainer. RDS creds, rotation - Secret Manager
upvoted 2 times
...
cldy
3 years, 6 months ago
B. Create a new AWS Secrets Manager secret resource in the CloudFormation template to be used as the database password. Configure the application to retrieve the password from Secrets Manager when needed. Reference the secret resource for the value of the MasterUserPassword property in the AWS::RDS::DBInstance resource using a dynamic reference.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
B is right
upvoted 1 times
...
tgv
3 years, 7 months ago
BBB ---
upvoted 1 times
...
WhyIronMan
3 years, 7 months ago
I'll go with B
upvoted 1 times
...
Balki
3 years, 7 months ago
B. C hardcodes the passwords in the script and the new password will be lost after 60 days
upvoted 3 times
...
blackgamer
3 years, 7 months ago
The solution is B as it is required for password rotation too.
upvoted 2 times
...
Waiweng
3 years, 8 months ago
it's B
upvoted 3 times
...
Amitv2706
3 years, 8 months ago
B. For Secret Rotation which is provided only by Secret Manager
upvoted 1 times
...
AJBA
3 years, 8 months ago
B https://aws.amazon.com/blogs/security/how-to-create-and-retrieve-secrets-managed-in-aws-secrets-manager-using-aws-cloudformation-template/#aws-comment-trigger-8922:~:text=The%20secret%20(username%20and%20password%20for,BackupRetentionPeriod%3A%200
upvoted 3 times
...
natpilot
3 years, 8 months ago
C is correct. good option with Ref function ( https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html ) ; for B, Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported;
upvoted 2 times
kirrim
3 years, 7 months ago
You definitely CAN use a dynamic reference for secretsmanager for an RDS DB password, even with rotation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html But I'm not saying you're wrong, it appears from that document you referenced, you definitely CAN do this with the Ref function as well. So it appears B and C are both feasible answers. It would come down to which one you think is the better answer. And that might be a matter of personal preference?
upvoted 1 times
...
...
Kian1
3 years, 8 months ago
going with B
upvoted 2 times
...
Ebi
3 years, 8 months ago
Answer is B
upvoted 4 times
...
Bulti
3 years, 8 months ago
Answer is B. You need to reference secret from secret manager dynamically in the CloudFormation template where the RDS resource is configured. Loading it as part of the userdata script is not secure.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel