AWS Certified Associate SAA-C03 Book

AWS Secrets Manager is a fully managed service specifically designed to securely store and automatically rotate database credentials, API keys, and other secrets. Secrets Manager provides built-in integration with Amazon RDS for automatic credential rotation on a configurable schedule without requiring downtime. It also manages the secure distribution of the credentials to authorized services, such as your web servers, using IAM policies. Manual solutions (S3, files, cron jobs) do not provide the same level of automation, audit, or security.

Reference Extract from AWS Documentation / Study Guide:

"AWS Secrets Manager enables you to rotate, manage, and retrieve database credentials securely. It supports automatic rotation of secrets for supported AWS databases without requiring application downtime."

Source: AWS Certified Solutions Architect – Official Study Guide, Security and Secrets Management section.

Amazon SQS is a fully managed message queuing service that reliably decouples and scales microservices, distributed systems, and serverless applications. By using SQS, microservices can communicate asynchronously, handle bursts of traffic, and avoid data loss by buffering messages until they are processed. Deploying the services on ECS with AWS Fargate further reduces operational overhead by removing the need to manage servers, allowing independent scaling of each microservice.

Reference Extract:

"Amazon SQS decouples application components and enables message durability and scaling. AWS Fargate removes the need to manage infrastructure, supporting independent scaling and minimal operational overhead."

Source: AWS Certified Solutions Architect – Official Study Guide, Microservices and Messaging section.

Amazon API Gateway supportsresource policies, which allow you to control access to your API by specifying the IP addresses or ranges that can access the API. By creating a resource policythat explicitly denies access to any IP address outside the allowed set, you can ensure that only trusted IP addresses (such as those from your internal network) can access the critical information in your API. This approach provides fine-grained access control without the need for additional infrastructure or complex configurations.

Option A (Private integration): API Gateway private integrations are for creating private APIs that are only accessible within a VPC, but this solution is about restricting access to certain IP addresses.

Option C (Private subnet and ACLs): Deploying the API in a private subnet and using network ACLs adds unnecessary complexity and isn't the best fit for HTTP APIs.

Option D (Security group): API Gateway doesn't have a security group because it isn't a resource inside a VPC. Instead, resource policies are the correct mechanism for controlling IP-based access.

AWS References:

Controlling Access to API Gateway with Resource Policies

AWSSecrets Managercan integrate directly with Amazon RDS for automatic and seamless password rotation. Secrets Manager handles the complexity of password management, including generating strong passwords and rotating them at a defined interval (e.g., every 30 days). It also automatically updates the connection information for RDS, minimizing operational overhead.

Option A (Lambda with EventBridge): While possible, this requires custom coding and operational management of Lambda, which introduces additional complexity.

Option B (Manual password change): Using the modify-db-instance command requires manual intervention and is not automated, leading to more operational effort.

Option D (Parameter Store): Systems Manager Parameter Store is less specialized for password management than Secrets Manager and does not have built-in automated rotation for RDS credentials.

AWS References:

AWS Secrets Manager Rotation for RDS