A financial services company deploys a containerized application on Amazon ECS with Fargate. The application needs to access an encrypted RDS database. The security policy mandates that database credentials must never be stored in the application code or configuration files and must be rotated automatically every 90 days. Which solution should the DevOps team implement to satisfy these requirements?
Secrets Manager supports rotation and integrates with ECS, meeting all requirements.
Why this answer
AWS Secrets Manager is the correct choice because it is designed to securely store, retrieve, and automatically rotate database credentials on a schedule (e.g., every 90 days) without storing them in code or configuration. By granting the ECS task role (via IAM) permission to access the secret, the Fargate task can retrieve the credentials at runtime using the AWS SDK or CLI, ensuring they are never hardcoded. This satisfies both the no-storage-in-code and automatic rotation requirements mandated by the security policy.
Exam trap
ISC2 often tests the distinction between AWS Secrets Manager and Systems Manager Parameter Store, where candidates mistakenly choose Parameter Store because it is cheaper, but they overlook that Secrets Manager provides native automatic rotation for RDS credentials, which is explicitly required by the policy.
How to eliminate wrong answers
Option B is wrong because passing encrypted credentials as environment variables in the task definition still embeds them in the container's environment, which violates the policy of never storing credentials in code or configuration files, and it does not provide automatic rotation. Option C is wrong because AWS Systems Manager Parameter Store (SecureString) can store encrypted secrets but does not natively support automatic rotation of RDS database credentials; it requires custom Lambda functions or additional services to implement rotation, making it less suitable for the 90-day rotation requirement. Option D is wrong because deploying Hashicorp Vault on EC2 adds operational overhead, requires managing the EC2 instances and Vault cluster, and does not integrate natively with ECS Fargate's task role for seamless credential retrieval; it also does not automatically rotate RDS credentials without additional configuration.