A company is deploying a new application using AWS CloudFormation. They need to ensure that sensitive parameters, such as database passwords, are not hardcoded in the templates and are rotated automatically every 30 days. Which THREE actions should they take? (Select THREE)

Answer options:

Store the passwords in AWS Systems Manager Parameter Store as SecureString.

Store the passwords in AWS Secrets Manager.

Use CloudFormation parameters with NoEcho set to true to pass passwords during stack creation.

Configure an AWS Lambda function to handle the rotation logic for Secrets Manager.

Hardcode the passwords in a private S3 bucket and reference them in CloudFormation.

Use dynamic references in the CloudFormation template to retrieve the secrets from Secrets Manager.

Use AWS KMS to rotate the passwords.

How to approach this question

Identify the service for secret rotation and how CloudFormation integrates with it.

Full Answer

B,D,F

AWS Secrets Manager handles secret storage and automated rotation (via Lambda). CloudFormation uses dynamic references to securely fetch these secrets during stack deployment without exposing them.

Common mistakes

Choosing Parameter Store, which lacks native automated rotation capabilities.

Question 29 All questions Question 31

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →