A company needs to deploy AWS CloudFormation templates that configure sensitive database credentials. The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.
Which solution will meet the requirements?
A.
Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.
B.
Use encrypted parameters in the CloudFormation template.
C.
Use SecureString parameters to reference Secrets Manager.
AWS CloudFormation supports dynamic references to AWS Secrets Manager, which allow sensitive values to be retrieved securely at stack runtime. According to AWS Certified Security – Specialty guidance, dynamic references prevent secrets from being stored in plaintext in templates, stack metadata, or logs.
Using dynamic references ensures that secrets remain encrypted at rest and are accessed only when required. CloudFormation does not support SecureString parameters for Secrets Manager references, and encrypting templates does not prevent exposure during execution.
Referenced AWS Specialty Documents:
AWS Certified Security – Specialty Official Study Guide
AWS CloudFormation Dynamic References
AWS Secrets Manager Best Practices
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit