Question

Your team is deploying a set of applications onto AWS. These applications work with multiple databases. You need to ensure that the database passwords are stored securely.

Which of the following is the ideal way to store the database passwords?

A. Store them in separate Lambda functions which can be invoked via HTTPS.

B. Store them as secrets in AWS Secrets Manager.

C. Store them in separate DynamoDB tables.

D. Store them in separate S3 buckets.

Answer 1

Answer - B.

This is mentioned in the AWS Documentation.

AWS Secrets Manager is an AWS service that makes it easier for you to manage secrets.

Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text.

You can store and control access to these secrets centrally by using the Secrets Manager console, the Secrets Manager command-line interface (CLI), or the Secrets Manager API and SDKs.

Option A is incorrect because the Lambda function is a compute service and not used for storing credentials.

Option C is incorrect because DynamoDB is a NoSQL database service and not suitable for storing credentials.

Option D is incorrect because the S3 bucket is used to store objects and is not particularly designed to store credentials.

It may have some security issues.

For more information on the Secrets Manager, please refer to the below URL-

https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

The ideal way to store database passwords on AWS is by using AWS Secrets Manager, which is a service that enables you to securely store and manage secrets, such as database passwords, API keys, and other sensitive data. AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Storing database passwords as secrets in AWS Secrets Manager provides several benefits:

1. Enhanced security: AWS Secrets Manager provides end-to-end encryption for your secrets, which means that your secrets are encrypted at rest and in transit. Additionally, you can define granular access policies to control who can access your secrets.

2. Easy integration: AWS Secrets Manager integrates with a variety of AWS services, such as Amazon RDS, Amazon DocumentDB, and Amazon Redshift. This integration makes it easy to retrieve secrets from AWS Secrets Manager and use them in your applications.

3. Automatic rotation: AWS Secrets Manager enables you to automatically rotate your secrets on a schedule that you define. This feature helps you improve your security posture by ensuring that your secrets are frequently updated.

Option A, storing database passwords in separate Lambda functions which can be invoked via HTTPS, is not ideal because it requires you to manage your own infrastructure to host and run the Lambda functions. Additionally, you would need to implement your own access controls to secure access to the Lambda functions.

Option C, storing database passwords in separate DynamoDB tables, is also not ideal because it requires you to manage your own infrastructure to host and run the DynamoDB tables. Additionally, you would need to implement your own access controls to secure access to the DynamoDB tables.

Option D, storing database passwords in separate S3 buckets, is not ideal because S3 is designed to store and retrieve data, not secrets. Additionally, S3 does not provide end-to-end encryption for your data by default, which means that you would need to implement your own encryption and access controls to secure your secrets.