Topic 1 Question 255
A SysOps administrator is helping a development team deploy an application to AWS. The AWS CloudFormation template includes an Amazon Linux EC2 instance, an Amazon Aurora DB cluster, and a hardcoded database password that must be rotated every 90 days.
What is the MOST secure way to manage the database password?
Use the AWS::SecretsManager::Secret resource with the GenerateSecretString property to automatically generate a password. Use the AWS::SecretsManager::RotationSchedule resource to define a rotation schedule for the password. Configure the application to retrieve the secret from AWS Secrets Manager to access the database.
Use the AWS::SecretsManager::Secret resource with the SecretString property Accept a password as a CloudFormation parameter Use the AllowedPattern property of the CloudFormation parameter to require a minimum length, uppercase and lowercase letters, and special characters. Configure the application to retrieve the secret from AWS Secrets Manager to access the database.
Use the AWS::SSM::Parameter resource. Accept input as a CloudFormation parameter to store the parameter as a secure string. Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database.
Use the AWS::SSM::Parameter resource. Accept input as a CloudFormation parameter to store the parameter as a string. Configure the application to retrieve the parameter from AWS Systems Manager Parameter Store to access the database.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: A
A - although B looks plausible as well, using the pattern in B won’t rotate the secret every 90 days.
👍 3csG132023/03/08 - 正解だと思う選択肢: A
Option A!
👍 1AndyMartinez2023/04/08 - 正解だと思う選択肢: A
The AWS::SecretsManager::Secret directive is only used to "Creates a new secret". Doesn't sound right that it would be used to accept an existing password (originating from where?). The question and response "B" seems to suggest you are just wanting to re-use an existing password in SecretsManager for a new DB Cluster (which is plausible). If so, rotation would already be configured for existing secret, but you shouldn't also be parsing for length, etc. I also think response has to be "A", but not just because it specifies rotation schedule. There is more to this than that.
👍 1Gomer2023/04/27
シャッフルモード