A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions.
Which solution best meets these requirements?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Store the password in Systems Manager Parameter Store as a SecureString and grant the ECS task role GetParameter only for that parameter ARN. Have the application call GetParameter on each request or on a short refresh interval.
Parameter Store can support secure storage, but the question explicitly emphasizes Secrets Manager controls and rotation; also, redeploy avoidance depends on application refresh behavior and secret rotation integration.
Store the password in AWS Secrets Manager. Configure rotation for the secret. Grant the ECS task role secretsmanager:GetSecretValue for only that secret ARN. Update the application to fetch the secret at runtime and cache it briefly.
Secrets Manager provides encrypted-at-rest storage and supports managed rotation. ECS task roles provide least-privilege access without static keys. Fetching at runtime with brief caching supports rotation without redeploying the task definition.
Store the password in a local file within the container image and mount it as a Docker secret at build time to avoid environment variables.
Including credentials in images increases leakage risk and does not provide a robust rotation mechanism. Least-privilege access via IAM roles is not used effectively.
Store the password in an S3 bucket with server-side encryption and allow all ECS tasks to read it using a broad IAM policy on the bucket prefix.
S3 is not a purpose-built secrets storage service, and broad IAM permissions violate least privilege. Rotation and secret lifecycle controls are weaker compared with Secrets Manager.
Common exam trap
Logging in proves the user can authenticate. It does not automatically mean the user is allowed to enter privileged or configuration mode. Watch for AAA authorization, privilege level and command authorization details.
Technical deep dive
This kind of question is testing the difference between identity and permission. A user may successfully log in to a router because authentication is working, but still fail to enter configuration mode because authorization is missing, misconfigured or mapped to a lower privilege level.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Authentication checks who the user is.
The correct answer is: Store the password in AWS Secrets Manager. Configure rotation for the secret. Grant the ECS task role secretsmanager:GetSecretValue for only that secret ARN. Update the application to fetch the secret at runtime and cache it briefly. — AWS Secrets Manager is designed for encrypted secret storage and managed rotation, satisfying the auditor’s encrypted-at-rest and rotation requirements. Granting the ECS task role only secretsmanager:GetSecretValue for the specific secret ARN enforces least privilege and avoids embedding static credentials in task definitions or images. Updating the application to retrieve the secret at runtime and refresh it on a short interval (with caching to reduce calls) allows rotation to take effect without redeploying. This directly addresses the operational and security constraints described. Why others are wrong: Option A may work with Parameter Store, but it does not align best with the requirement emphasizing Secrets Manager controls and managed rotation. Option C embeds secrets in container images, which is high risk and does not provide secure rotation lifecycle. Option D uses S3 for secrets and broad access, violating least-privilege and weakening rotation and secret handling guarantees.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.