Home › Forums › AWS › AWS Certified Solutions Architect Professional › Review Set 4 – Q MySQL credentials rotation every 90 days (least ops. o/h)
Tagged: #secretmanager, managedrotation, rdsMySQL
-
Review Set 4 – Q MySQL credentials rotation every 90 days (least ops. o/h)
JR-TutorialsDojo updated 4 months, 1 week ago 2 Members · 2 Posts -
Not listing the Q # in the set as it get shuffled & changes. It is in “CSAP – Continuous Improvement for Existing Solutions”. The Q “A company has performed a security audit on its existing application. …. application retrieves the Amazon RDS for MySQL credentials from … S3 bucket … the next application deployment:
<ul data-indent-level=”1″>
The database credentials must be randomly generated and stored in a secure AWS managed service.
The credentials must be rotated every 90 days.
Infrastructure-as-code provisioning of application resources using AWS CloudFormation.
… option meeting requirement with the *LEAST amount of operational overhead?*
The 2 probable options:
“Using AWS Secrets Manager, create a secret resource and generate a secure database password. Write an AWS Lambda function to rotate the database password. On AWS CloudFormation, specify a resource for Secrets ManagerRotationSchedule
to rotate the password every 90 days.”
“<strong style=”font-family: inherit; font-size: inherit;”>Using AWS Secrets Manager, … Write an AWS Lambda function to rotate the database password. Create a scheduled rule on Amazon EventBridge to trigger the Lambda function to rotate the database password every 90 days<strong style=”font-family: inherit; font-size: inherit;”>”Answer checker rules the “CloudFormation” option is correct. My questions:
1. why do both options have “writing lambda function” when Secret Manager doc says RDS MySQL is under Secret Mgr’s “managed” rotation & doesn’t require writing Lambda function?
2. The explanation why the “EventBridge to trigger lambda” option is incorrect: “This option may be possible, however, it does not use AWS CloudFormation in its solution”. Per Secret Mgr doc, rotation is done automatically (default 7 days rotation schedule can be modified to suit). Shouldn’t the explanation be “Create a scheduled rule on EventBridge to trigger lambda function is not required for RDS service covered by Secret Mgr managed rotation”?The Q asks for least amount of Ops. O/H. Given RDS mySQL is under Secret Mgr’s “managed credential rotation” w/ no Lambda function, shouldn’t the correct answer option be “use Secret Mgr managed rotation, modify default rotation schedule to 90 days, use CFN template for next app deployment”?
If the intent of the Q is to test taker’s knowledge on CFN “RotationSchedule” property, perhaps quoting a RDS service that isn’t covered by Secret Mgr managed rotation will give a better clarity and “correctness” of the quiz?
-
Hello AudreyST,
Thank you for bringing this to our attention.
You are correct that Amazon RDS offers managed rotation through AWS Secrets Manager, which does not require writing a custom Lambda function. We appreciate your feedback and will make the necessary updates, which should be reflected on the portal as soon as possible.
Thank you for helping us improve our content!
Best regards,
JR @ Tutorials Dojo
Log in to reply.