Explore Exams
Login Signup
Sign in Open App
AWS Solutions Architect Exam  >  AWS Solutions Architect Notes  >  : Associate Level  >  Case Studies: Secrets Manager vs Parameter Store

Case Studies: Secrets Manager vs Parameter Store

Case Studies: Secrets Manager vs Parameter Store

Case Study 1

A financial services company is migrating a legacy customer relationship management (CRM) application to AWS. The application currently stores database credentials in encrypted configuration files on-premises. The security team requires automatic rotation of database passwords every 30 days to meet compliance requirements. The application is built using Java and connects to an Amazon RDS PostgreSQL database. The development team wants to minimize code changes and maintain the current connection pooling mechanism. The operations team has limited staff and requires the solution to handle rotation operations automatically without custom Lambda functions or additional infrastructure management.

What is the MOST appropriate solution for managing database credentials in this scenario?

  1. Store database credentials in AWS Systems Manager Parameter Store with advanced parameters and SecureString type. Implement a Lambda function triggered by CloudWatch Events to rotate credentials every 30 days and update both the database and Parameter Store.
  2. Use AWS Secrets Manager to store database credentials and enable automatic rotation. Configure the application to retrieve credentials from Secrets Manager using the AWS SDK before establishing database connections.
  3. Store credentials in AWS Systems Manager Parameter Store as standard SecureString parameters. Use AWS Config rules to monitor parameter age and trigger manual rotation procedures through documented runbooks when credentials exceed 30 days.
  4. Implement AWS Secrets Manager with automatic rotation disabled. Create a scheduled EventBridge rule that invokes a custom Lambda function to orchestrate password changes across the RDS database and Secrets Manager.

Answer & Explanation

Correct Answer: 2 - Use AWS Secrets Manager with automatic rotation enabled

Why this is correct: AWS Secrets Manager provides native automatic rotation functionality specifically designed for RDS databases, including PostgreSQL. When enabled, Secrets Manager handles the complete rotation process without requiring custom Lambda functions-it uses built-in rotation templates that automatically update credentials in both the secret and the database. This meets the compliance requirement for 30-day rotation, minimizes operational overhead (no custom infrastructure to manage), and requires minimal code changes (just API calls to retrieve secrets). The service is purpose-built for this exact use case.

Why the other options are wrong:

  • Option 1: While Parameter Store supports storing credentials, it does not provide native automatic rotation capabilities. Requiring a custom Lambda function for rotation directly violates the constraint that operations staff is limited and the requirement to avoid custom infrastructure management. This creates significant operational overhead.
  • Option 3: Relying on manual rotation procedures through runbooks completely fails to meet the requirement for automatic rotation every 30 days. AWS Config rules only provide compliance monitoring, not automated remediation. This approach introduces human error risk and operational burden inconsistent with the scenario constraints.
  • Option 4: Disabling automatic rotation and building custom Lambda orchestration defeats the primary purpose of using Secrets Manager. This approach creates unnecessary operational complexity and custom infrastructure that must be maintained, directly conflicting with the requirement for minimal management overhead.

Key Insight: The critical differentiator is automatic rotation capability. Secrets Manager is purpose-built for credential rotation with native RDS integration, while Parameter Store is designed for configuration management without built-in rotation. The constraint about limited operations staff and avoiding custom infrastructure eliminates any solution requiring Lambda development.

Case Study 2

A healthcare technology startup is building a microservices-based patient portal on AWS. The architecture consists of 25 microservices running in Amazon ECS with Fargate. Each service requires between 5 to 15 configuration parameters including API endpoints, feature flags, timeout values, and regional settings. These parameters change frequently during development-sometimes multiple times per day-and need to be accessed quickly by all service instances. The startup operates under tight budget constraints and must minimize AWS service costs. Database credentials are managed separately through a dedicated secrets management solution already in place. The DevOps team needs a solution that supports versioning, provides parameter change notifications, and allows hierarchical organization of parameters by environment and service name.

What is the MOST cost-effective solution for managing these application configuration parameters?

  1. Use AWS Systems Manager Parameter Store with standard parameters organized in a hierarchical namespace structure. Implement GetParametersByPath API calls to retrieve environment-specific configurations and configure Amazon EventBridge to capture parameter change events for notifications.
  2. Store all configuration parameters as individual secrets in AWS Secrets Manager. Use resource tags to organize parameters by environment and service, and enable CloudTrail logging to track parameter modifications and trigger notifications.
  3. Deploy an Amazon RDS database to store configuration parameters in structured tables. Build a custom API layer using API Gateway and Lambda to provide parameter retrieval, versioning, and change notification capabilities.
  4. Implement AWS AppConfig to store and deploy configuration parameters. Configure deployment strategies for each microservice and use CloudWatch Events to monitor configuration deployment status and changes.

Answer & Explanation

Correct Answer: 1 - Use Parameter Store with standard parameters and hierarchical organization

Why this is correct: AWS Systems Manager Parameter Store standard parameters are completely free for storage and API calls, making this the most cost-effective solution for the budget-constrained startup. Standard parameters support up to 10,000 parameters per account and provide native versioning, hierarchical organization (allowing structures like /dev/service-name/parameter), and integration with EventBridge for change notifications. The GetParametersByPath API enables efficient retrieval of all parameters for a specific environment or service. Since database credentials are handled separately and the requirement is purely for application configuration data, Parameter Store perfectly fits the use case without the additional cost of Secrets Manager.

Why the other options are wrong:

  • Option 2: AWS Secrets Manager charges approximately $0.40 per secret per month plus $0.05 per 10,000 API calls. With 25 services averaging 10 parameters each (250 parameters), this would cost around $100 monthly just for storage, plus API call charges. This is unnecessarily expensive when the parameters are configuration values, not secrets requiring rotation. Secrets Manager is designed for credential management, not general configuration.
  • Option 3: Building a custom solution with RDS, API Gateway, and Lambda introduces multiple cost components (database instance charges, API Gateway requests, Lambda invocations) and significant operational overhead for maintaining custom code. This directly contradicts the cost-effectiveness requirement and adds unnecessary complexity for a solved problem.
  • Option 4: While AWS AppConfig is appropriate for configuration management, it incurs costs based on configuration requests and deployment strategies. AppConfig is optimized for controlled configuration deployments with validation and rollback, which exceeds the stated requirements. Parameter Store provides the needed functionality at zero cost for standard parameters.

Key Insight: Cost constraint is the decisive factor. Many candidates overlook that Parameter Store standard parameters are free, making it the clear choice for configuration management when automatic rotation is not needed. The trap is thinking Secrets Manager is required for any sensitive data or that a more sophisticated service like AppConfig is always better than a simpler solution.

Case Study 3

A media streaming company operates a hybrid architecture with on-premises video encoding infrastructure and AWS cloud services for content delivery. The encoding clusters must access a centralized key management system to retrieve encryption keys for protecting video content. The on-premises systems cannot be modified to use AWS SDKs or IAM authentication due to legacy software constraints. The security team requires that encryption keys be rotated every 90 days and that all key access be audited. The company has established AWS Direct Connect between their data center and AWS. Key retrieval operations occur approximately 500,000 times daily across the encoding infrastructure. The solution must provide low-latency access to keys from both on-premises and AWS environments with minimal operational complexity.

Which solution BEST meets these requirements?

  1. Store encryption keys in AWS Secrets Manager with automatic rotation enabled. Deploy AWS Systems Manager Session Manager endpoints on-premises to enable the legacy systems to retrieve secrets through a local agent that handles AWS authentication.
  2. Use AWS Systems Manager Parameter Store advanced parameters with standard throughput to store encryption keys. Configure Parameter Store to allow access from on-premises via VPC endpoints over Direct Connect, and implement application-level key rotation using Lambda functions.
  3. Store encryption keys in AWS Secrets Manager and create a VPC endpoint for Secrets Manager in the VPC connected to on-premises via Direct Connect. Deploy a simple proxy service on Amazon EC2 that authenticates to Secrets Manager and exposes a REST API accessible to on-premises systems using API keys.
  4. Implement AWS Systems Manager Parameter Store with standard parameters. Store keys as SecureString values and build a caching layer using Amazon ElastiCache to reduce API calls and provide low-latency access for high-frequency retrieval operations.

Answer & Explanation

Correct Answer: 3 - Use Secrets Manager with VPC endpoint and EC2 proxy service

Why this is correct: This solution addresses all requirements: Secrets Manager provides native automatic rotation for the 90-day requirement without custom development; VPC endpoints enable private connectivity over Direct Connect with low latency; the EC2 proxy service bridges the authentication gap between legacy systems that cannot use AWS SDKs/IAM and Secrets Manager; and all access is automatically logged to CloudTrail for audit compliance. The proxy approach is a standard pattern for integrating legacy systems with AWS services and introduces minimal operational complexity as a stateless service that simply forwards authenticated requests.

Why the other options are wrong:

  • Option 1: AWS Systems Manager Session Manager is designed for interactive shell access to EC2 instances, not for programmatic secret retrieval by applications. This misunderstands the purpose of Session Manager. Additionally, there is no "local agent" that handles AWS authentication for arbitrary applications-this is not how Session Manager works.
  • Option 2: Parameter Store does not provide native automatic rotation capabilities, requiring custom Lambda functions to implement rotation logic. This increases operational complexity. More critically, Parameter Store standard throughput is limited to 40 transactions per second per account, which is completely inadequate for 500,000 daily operations (approximately 5.8 TPS average, but likely with peak bursts). Higher throughput increases costs and still requires custom rotation.
  • Option 4: While ElastiCache could provide caching for high-frequency access, standard Parameter Store parameters also face the throughput limitation problem mentioned in Option 2. More importantly, standard parameters cannot enable automatic rotation-rotation would require custom implementation. Additionally, introducing ElastiCache adds infrastructure complexity (cache invalidation, maintenance, monitoring) that contradicts the minimal operational complexity requirement.

Key Insight: The hybrid architecture with legacy system constraints is the key challenge. The solution must bridge two worlds: AWS-native services with IAM authentication and legacy systems that cannot integrate directly. The proxy pattern is a standard architectural approach for this scenario. Additionally, recognizing that 500,000 daily operations could stress Parameter Store's default throughput limits distinguishes candidates who understand service limits.

Case Study 4

An e-commerce company has deployed a containerized application on Amazon EKS that processes payment transactions. The application uses three types of sensitive data: payment gateway API keys that never change, database credentials for Amazon Aurora PostgreSQL that must be rotated monthly, and third-party service tokens that expire and must be refreshed every 7 days through an external OAuth flow. The security team has discovered that the current implementation stores all three types of data in Kubernetes Secrets, which poses a compliance risk. The development team reports that the application makes approximately 50 credential retrievals per second during peak traffic. The infrastructure team requires a solution that minimizes changes to the EKS cluster configuration and application deployment manifests. Cost optimization is important, but security and compliance are the primary concerns.

What combination of AWS services should be used to properly manage these different types of sensitive data? (Select TWO)

  1. Store payment gateway API keys in AWS Secrets Manager with automatic rotation disabled, configure IAM roles for service accounts (IRSA) in EKS to allow pods to retrieve these static secrets, and mount them as environment variables.
  2. Store database credentials in AWS Secrets Manager with automatic rotation enabled for RDS Aurora, and use the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver to mount credentials as volumes in pods.
  3. Store all three types of credentials in AWS Systems Manager Parameter Store advanced parameters with encryption enabled, and use the AWS Secrets and Configuration Provider (ASCP) to sync parameters into Kubernetes Secrets automatically.
  4. Implement third-party service token refresh logic in AWS Lambda functions triggered by EventBridge scheduled rules every 7 days, store refreshed tokens in AWS Secrets Manager, and configure EKS pods to retrieve tokens through direct API calls using IRSA.
  5. Store database credentials in Parameter Store with SecureString encryption and create a Kubernetes CronJob that runs daily to check credential age, manually rotating them in Aurora when they exceed 30 days and updating the stored values.

Answer & Explanation

Correct Answer: 2 and 4 - Use Secrets Manager for database credentials with automatic rotation and Lambda-based token refresh

Why these are correct: Option 2 properly handles the database credentials that require regular rotation-Secrets Manager provides native automatic rotation for RDS Aurora without custom code, and the Kubernetes Secrets Store CSI Driver with ASCP allows seamless integration with EKS while maintaining security through IAM roles. Option 4 correctly addresses the third-party OAuth tokens that require custom refresh logic-since this involves external API calls every 7 days, Lambda with EventBridge scheduling is appropriate, and storing the refreshed tokens in Secrets Manager ensures they're managed consistently with proper encryption and audit logging. Together, these options handle the two credential types requiring rotation/refresh while maintaining security compliance.

Why the other options are wrong:

  • Option 1: While using Secrets Manager for static API keys is acceptable, mounting secrets as environment variables is less secure than using the CSI Driver volume mount approach specified in Option 2. Environment variables are visible in pod specifications and logs. More importantly, this option doesn't address the other two credential types that require rotation/refresh, making it an incomplete solution.
  • Option 3: Parameter Store does not provide native automatic rotation capabilities for any credential type. It would require custom rotation logic for the database credentials, failing the security and compliance requirements. Additionally, the "sync into Kubernetes Secrets" approach defeats the purpose of moving away from Kubernetes Secrets for security reasons-it still stores credentials in the potentially vulnerable Kubernetes secrets store.
  • Option 5: Implementing manual rotation through a Kubernetes CronJob introduces significant operational complexity and security risks (the CronJob itself needs permissions to modify Aurora credentials and Parameter Store values). Parameter Store doesn't offer automatic rotation, and daily checks for 30-day rotation are inefficient. This approach contradicts best practices and fails to meet the compliance requirement for reliable automated rotation.

Key Insight: This question tests understanding that different credential types require different management approaches. Static credentials, rotating credentials, and externally-refreshed tokens each have optimal handling patterns. The combination of Secrets Manager's native RDS rotation and Lambda-based custom refresh for OAuth tokens represents proper separation of concerns. Candidates must recognize when to use built-in rotation versus when custom logic is necessary.

Case Study 5

A logistics company runs a fleet management application that tracks delivery vehicles in real-time. The application consists of 200 microservices deployed across multiple AWS regions using Amazon ECS. Each microservice requires access to different subsets of configuration parameters based on their function: some need only regional API endpoints, others need service-specific timeouts and retry policies, and a few need access to third-party API keys. The architecture team has implemented a naming convention where parameters follow the pattern: /app-name/environment/region/service-name/parameter-name. The application currently experiences intermittent failures during deployment when new microservices start up, and investigation reveals these failures occur when multiple services simultaneously request their configuration parameters. The company uses AWS Organizations with separate accounts for development, staging, and production environments. Configuration parameters are accessed millions of times daily across all services.

What is the MOST LIKELY cause of the intermittent startup failures, and what should be implemented to resolve them?

  1. The failures are caused by insufficient IAM permissions when new services start. Implement AWS Secrets Manager to store all configuration parameters with resource-based policies that automatically grant access to new services based on tags, eliminating permission errors.
  2. The failures result from exceeding AWS Systems Manager Parameter Store standard throughput limits of 40 transactions per second. Upgrade to Parameter Store advanced parameters with higher throughput tier, or implement parameter caching in each microservice to reduce API calls during startup.
  3. The failures are caused by eventual consistency in parameter replication across regions. Switch to AWS Secrets Manager with cross-region replication enabled to ensure all regions have immediate access to the latest parameter values during service startup.
  4. The failures occur because Kubernetes ConfigMaps in EKS have size limitations that are exceeded when multiple parameters are loaded. Migrate to AWS AppConfig to deploy configurations through staged deployments with built-in validation to prevent oversized configurations from being deployed.

Answer & Explanation

Correct Answer: 2 - Parameter Store throughput limits with higher throughput tier or caching solution

Why this is correct: The scenario describes intermittent failures specifically when multiple services simultaneously request parameters during startup, and mentions millions of daily parameter accesses across 200 microservices. AWS Systems Manager Parameter Store standard parameters have a throughput limit of 40 transactions per second per AWS account per region. With 200 microservices starting up simultaneously (common during deployments) and each making multiple GetParameter or GetParametersByPath calls, this easily exceeds the 40 TPS limit, causing API throttling and startup failures. The solution is either to use Parameter Store advanced parameters with higher throughput pricing tier (up to 1,000+ TPS) or implement client-side caching to reduce the number of API calls-services can cache parameters locally and only refresh periodically.

Why the other options are wrong:

  • Option 1: IAM permission issues would cause consistent failures for specific services, not intermittent failures across different services during simultaneous startups. Secrets Manager does not automatically grant permissions based on tags-IAM policies must still be properly configured. Additionally, Secrets Manager is more expensive than Parameter Store and unnecessary for configuration parameters that don't require rotation, making this an incorrect diagnosis and inappropriate solution.
  • Option 3: Parameter Store parameter values are not replicated across regions-each region maintains its own parameter store. If the application were experiencing eventual consistency issues, the problem would be with recently updated parameters being read, not with simultaneous access during startup. The scenario describes failures during startup bursts, not data consistency issues. Furthermore, the hierarchical naming convention including region suggests parameters are already region-specific.
  • Option 4: The scenario clearly states the application uses Amazon ECS, not Amazon EKS (Kubernetes). This option incorrectly assumes Kubernetes is being used and misdiagnoses the problem as ConfigMap size limitations. Additionally, AppConfig is designed for controlled configuration deployments with validation and rollback capabilities, not for solving API throughput issues during service startup.

Key Insight: This question tests whether candidates can diagnose a problem based on symptoms and understand service limits. "Intermittent failures during simultaneous requests" is the key phrase pointing to API throttling. Many candidates might overlook Parameter Store throughput limits because the standard tier's 40 TPS limit seems high until you consider concurrent service startups. Understanding when caching is appropriate versus when to pay for higher throughput distinguishes strong architects.

Case Study 6

A pharmaceutical research company is building a clinical trial management platform on AWS that must comply with FDA 21 CFR Part 11 requirements for electronic records and signatures. The platform uses Amazon RDS for MySQL to store patient data and requires database credentials to be managed with strict access controls and audit trails. Regulatory requirements mandate that any changes to database access credentials must be logged with who made the change, when it was made, and the reason for the change. The credentials must be encrypted both in transit and at rest using FIPS 140-2 validated cryptographic modules. The security team requires that credentials be rotated every 60 days, and any access to credentials must be traceable to specific individuals or systems. The platform runs in a single AWS region with multiple availability zones. Development, staging, and production environments use separate databases, and cross-environment access must be prevented. The company's compliance officer needs to generate quarterly reports showing all credential access events.

Which solution BEST meets these regulatory and security requirements?

  1. Use AWS Secrets Manager to store database credentials with automatic rotation enabled every 60 days. Enable AWS CloudTrail logging for all Secrets Manager API calls, encrypt secrets using AWS KMS with customer managed keys, and implement IAM policies with condition keys that restrict access based on environment tags and require MFA for credential retrieval.
  2. Store database credentials in AWS Systems Manager Parameter Store advanced parameters encrypted with AWS KMS. Create custom Lambda functions for rotation that log changes to Amazon CloudWatch Logs, implement IAM policies that separate access by environment, and configure AWS Config to track parameter modifications for compliance reporting.
  3. Deploy HashiCorp Vault on Amazon EC2 instances with MySQL database secrets engine enabled for dynamic credential generation. Configure Vault audit logging to CloudWatch Logs, use AWS KMS for Vault's seal mechanism, and implement Vault policies that separate access by environment and require user authentication.
  4. Use AWS Secrets Manager with KMS encryption and automatic rotation. Implement AWS Organizations service control policies (SCPs) to prevent cross-environment access, enable VPC endpoints for Secrets Manager to ensure transit encryption, and configure Amazon Athena queries against CloudTrail logs stored in S3 for quarterly compliance reports.

Answer & Explanation

Correct Answer: 1 - Secrets Manager with CloudTrail, KMS customer managed keys, and conditional IAM policies

Why this is correct: AWS Secrets Manager provides automatic rotation aligned with the 60-day requirement without custom code. CloudTrail automatically logs all Secrets Manager API calls (GetSecretValue, RotateSecret, etc.) with detailed information about who accessed what and when, meeting audit requirements. AWS KMS uses FIPS 140-2 validated hardware security modules for encryption at rest, and all AWS API calls are encrypted in transit using TLS. Customer managed KMS keys provide additional control and audit trails for encryption operations. IAM condition keys (like aws:RequestedRegion, resource tags, and aws:MultiFactorAuthPresent) enable fine-grained access control that prevents cross-environment access and can require MFA. CloudTrail logs can be queried using Athena for quarterly compliance reports. This solution uses fully managed AWS services that are designed to meet compliance requirements.

Why the other options are wrong:

  • Option 2: Parameter Store does not provide native automatic rotation-custom Lambda functions are required, introducing operational complexity and potential security gaps in the rotation logic. While Parameter Store supports KMS encryption and CloudTrail logging, AWS Config tracks resource configuration changes, not access events. The compliance requirement is to log who accessed credentials, not just when they were modified. CloudWatch Logs from custom Lambda rotation functions don't provide the same comprehensive audit trail as Secrets Manager's native integration with CloudTrail for all access operations.
  • Option 3: While HashiCorp Vault is a capable secrets management solution, deploying and managing Vault on EC2 introduces significant operational overhead-the company must handle Vault clustering, high availability, patching, backup, and disaster recovery. Vault running on EC2 is not a fully managed service and creates infrastructure that must be maintained, secured, and demonstrated as compliant to auditors. This adds complexity compared to using AWS-native fully managed services. Additionally, FDA compliance is easier to demonstrate with AWS services that have extensive compliance certifications.
  • Option 4: While this option uses appropriate services (Secrets Manager, KMS, CloudTrail, Athena), AWS Organizations SCPs operate at the account level and control what actions principals in accounts can perform-they don't provide the fine-grained, attribute-based access control needed to prevent cross-environment access within a single account's resources. VPC endpoints are useful but not required for transit encryption (all AWS API calls use TLS). This option's access control mechanism is less precise than the IAM condition keys specified in Option 1, making it less suitable for the strict separation requirements.

Key Insight: Compliance requirements drive architectural decisions toward fully managed, auditable AWS services. Secrets Manager is purpose-built for this use case with comprehensive audit trails through CloudTrail, native rotation, and encryption using FIPS-validated modules. The key differentiator is recognizing that CloudTrail logging of Secrets Manager API calls provides the detailed "who, what, when" audit trail required for regulatory compliance, whereas custom solutions or Config-based tracking don't capture access events with the same fidelity.

Case Study 7

A gaming company has developed a mobile game with 2 million daily active users. The game backend runs on Amazon EKS and requires configuration values such as game difficulty parameters, item drop rates, event schedules, and feature flags. The game design team needs to modify these parameters multiple times per day based on player analytics and A/B testing results-sometimes making adjustments every few hours during special events. Changes must be deployed immediately to all game servers across multiple regions (us-east-1, eu-west-1, ap-southeast-1) without requiring pod restarts, as restarts would disconnect active players and damage user experience. The operations team has experienced issues where configuration changes were deployed that caused game crashes, requiring rollbacks. The company wants to implement validation of configuration changes before deployment and needs the ability to instantly roll back to previous configurations if issues occur. The architecture team requires a solution that supports gradual deployment of configuration changes-first to 10% of servers, then 50%, then 100%-to minimize risk. Parameter access occurs approximately 100,000 times per minute across all regions during peak usage.

Which solution BEST addresses these operational requirements?

  1. Use AWS Systems Manager Parameter Store advanced parameters with high-throughput tier. Implement a Lambda function triggered by Parameter Store changes that validates configurations against a JSON schema and automatically propagates changes to all regions. Configure application pods to poll Parameter Store every 30 seconds for updates.
  2. Implement AWS AppConfig with deployment strategies configured for gradual rollout. Store configurations in Amazon S3, define validators to check configuration syntax before deployment, and configure the AppConfig agent in application pods to retrieve configurations and automatically apply updates without restarts. Enable rollback triggers based on CloudWatch alarms.
  3. Store configurations in AWS Secrets Manager across all regions with cross-region replication enabled. Implement a custom orchestration service using Step Functions that validates changes, deploys to regions sequentially with health checks between each region, and uses EventBridge to notify application pods to reload configurations.
  4. Use AWS Systems Manager Parameter Store with standard parameters organized hierarchically. Create a CI/CD pipeline using AWS CodePipeline that validates parameters, promotes them through test stages, and uses AWS Systems Manager Run Command to push configuration updates to application pods through a sidecar container.

Answer & Explanation

Correct Answer: 2 - AWS AppConfig with deployment strategies and validators

Why this is correct: AWS AppConfig is specifically designed for this use case-managing application configuration that changes frequently and requires controlled, gradual deployment. AppConfig deployment strategies enable percentage-based gradual rollouts (10%, 50%, 100%) with configurable bake times between stages. Validators can be configured to check JSON schema or run Lambda functions to validate configuration before deployment, preventing invalid configurations from reaching production. CloudWatch alarm-based rollback triggers automatically revert to previous configurations if error rates spike. The AppConfig agent runs as a sidecar container or within the application, polls for configuration updates, and makes them available without pod restarts-meeting the critical requirement to avoid disconnecting players. AppConfig caches configurations locally at the agent level, reducing API calls and handling 100,000 requests per minute easily. Cross-region deployment is supported natively.

Why the other options are wrong:

  • Option 1: While Parameter Store high-throughput tier can handle the API load, Parameter Store does not provide native gradual deployment strategies, validation frameworks, or automatic rollback capabilities. The proposed Lambda-based validation and propagation would require significant custom development. Polling every 30 seconds introduces latency for urgent configuration changes during events. Parameter Store is designed for configuration storage, not for controlled configuration deployment with safety mechanisms. Building deployment orchestration, validation, and rollback logic custom contradicts the principle of using managed services for solved problems.
  • Option 3: Secrets Manager is designed for secrets management (credentials, API keys), not application configuration that changes multiple times daily. Using Secrets Manager for game parameters like item drop rates is architecturally inappropriate and cost-ineffective ($0.40 per secret per month would be expensive for numerous configuration parameters). Cross-region replication, while useful, doesn't provide gradual deployment, validation, or percentage-based rollouts. Building custom orchestration with Step Functions and EventBridge adds complexity when AppConfig provides these features natively.
  • Option 4: Standard Parameter Store parameters have a throughput limit of 40 transactions per second per region, completely inadequate for 100,000 parameter retrievals per minute (approximately 1,667 per second). Even with caching, this would be insufficient. AWS Systems Manager Run Command is designed for executing commands on EC2 instances, not for updating containerized applications in EKS. The proposed CI/CD pipeline approach introduces deployment latency inconsistent with the requirement for changes "every few hours" during events. This solution doesn't provide validation, gradual rollout, or instant rollback capabilities.

Key Insight: AWS AppConfig is frequently overlooked in favor of Parameter Store or Secrets Manager, but it's purpose-built for dynamic application configuration with controlled deployment. The key requirements-gradual rollout percentages, validation before deployment, automatic rollback, and updates without restarts-directly map to AppConfig's feature set. Recognizing when configuration management requires deployment orchestration versus simple storage distinguishes architects who understand service selection based on operational requirements.

Case Study 8

A software-as-a-service (SaaS) company provides a multi-tenant marketing automation platform used by 500 enterprise customers. Each customer's account is isolated in a separate AWS account managed through AWS Organizations. The application uses a shared services account that hosts common infrastructure including an Amazon RDS Aurora PostgreSQL cluster used for platform analytics. Customer accounts need to access this shared analytics database to export their data, but each customer should only be able to access their own data through row-level security implemented in the database. The security architecture team requires that each customer account use unique database credentials that can be traced back to the specific customer for audit purposes. Credentials must be rotated monthly for each customer account independently-if credentials for Customer A are compromised, rotating them should not affect credentials for any other customer. The solution must scale to support 500 current customers with plans to grow to 2,000 customers within 18 months. The DevOps team wants to minimize the operational burden of managing hundreds of separate credentials and their rotation schedules.

What is the MOST operationally efficient solution for managing these customer-specific database credentials?

  1. Create 500 individual secrets in AWS Secrets Manager in the shared services account, one per customer, with automatic rotation enabled. Use resource-based policies on each secret to grant cross-account access to the corresponding customer account. Tag each secret with customer ID for tracking and enable CloudTrail for audit logging.
  2. Store all customer credentials in AWS Systems Manager Parameter Store advanced parameters in the shared services account using a hierarchical structure like /customers/customer-id/db-credentials. Implement a centralized Lambda function that rotates all credentials on a monthly schedule and publishes updated credentials to each customer account's Parameter Store through cross-account API calls.
  3. Implement AWS Secrets Manager in each customer account with automatic rotation enabled. Create a cross-account IAM role in the shared services account that each customer account's application can assume to access the Aurora database. Store customer-specific credentials in each customer's own account, with rotation managed independently per account.
  4. Deploy an Amazon Cognito user pool for customer authentication and use Cognito identity pools to generate temporary database credentials through IAM database authentication for Aurora. Configure identity pools to map each customer identity to their specific row-level security policies in the database, eliminating the need for long-term credentials.

Answer & Explanation

Correct Answer: 1 - Individual secrets in Secrets Manager with cross-account access via resource policies

Why this is correct: Storing individual secrets in the shared services account's Secrets Manager with automatic rotation enabled meets all requirements efficiently. Each secret can be configured with independent rotation schedules, so compromised credentials for one customer don't trigger rotation for others. Resource-based policies on each secret grant cross-account GetSecretValue permission to the specific customer account, maintaining isolation. Automatic rotation happens independently per secret without manual intervention-critical for scaling to 2,000 customers. Tagging enables tracking and reporting by customer. CloudTrail logs in the shared services account capture which customer account accessed which secret, providing the audit trail. This approach centralizes credential management in one account (reducing complexity) while maintaining per-customer isolation and automatic rotation, scaling efficiently as customer count grows.

Why the other options are wrong:

  • Option 2: Parameter Store does not provide native automatic rotation. The proposed centralized Lambda function would need to orchestrate rotation for 500+ credentials monthly, managing Aurora user password changes and Parameter Store updates for each customer-significant custom development. Making cross-account API calls to write updated credentials to each customer's Parameter Store requires IAM roles in every customer account and error handling for cross-account operations. This approach creates substantial operational overhead and custom code that must be maintained, directly contradicting the requirement to minimize operational burden as the platform scales.
  • Option 3: While storing credentials in each customer account provides isolation, this distributes credential management across 500 separate accounts. Each account would need its own Secrets Manager configuration with rotation, its own KMS keys, and its own monitoring. This creates 500 separate management points rather than centralizing management. More critically, Secrets Manager rotation for RDS requires the rotation Lambda function to access the database-but the Aurora cluster is in the shared services account. Each customer account's rotation function would need complex cross-account networking and IAM permissions to modify database users, creating significant architectural complexity. This approach does not minimize operational burden.
  • Option 4: Amazon Cognito is designed for user authentication in web and mobile applications, not for programmatic database access in a SaaS backend architecture. IAM database authentication for Aurora generates temporary credentials, which is a valid approach, but implementing it through Cognito identity pools for 500 enterprise customer accounts is architecturally inappropriate-Cognito is for end-user identities, not tenant-level service authentication. Additionally, IAM database authentication has connection limits and performance considerations that may not scale well. The scenario describes backend data export operations, not user-facing applications where Cognito excels. This misapplies Cognito to a problem it wasn't designed to solve.

Key Insight: Multi-tenant SaaS architectures present unique credential management challenges. The key insight is recognizing that centralizing credential storage in the shared services account while using resource-based policies for cross-account access provides the best balance of operational simplicity and security isolation. Secrets Manager's automatic rotation scales efficiently because it's service-managed-adding 1,500 more customers just means creating more secrets with rotation enabled, not building custom rotation infrastructure. Understanding when to centralize versus distribute across accounts is a critical multi-account architecture skill.

Case Study 9

A telecommunications company is migrating a customer billing system from on-premises to AWS. The billing application is a legacy monolithic Java application running on Linux servers that reads database credentials from a properties file at application startup. The application establishes a connection pool to an Oracle database (now migrating to Amazon RDS Oracle) at startup and maintains these connections throughout the application's runtime, which typically runs for weeks between restarts. The database team has implemented a security policy requiring credential rotation every 30 days. However, the application code cannot be modified to dynamically refresh database connections-any change to database credentials requires an application restart, which causes 5-10 minutes of downtime during business hours. The business stakeholders have stated that downtime during business hours (8 AM - 6 PM) is unacceptable. The application runs in an Auto Scaling group behind an Application Load Balancer with 6 instances for high availability. The operations team wants a solution that maintains the credential rotation requirement while avoiding business-hour downtime.

Which solution BEST satisfies both the security requirement for credential rotation and the business requirement to avoid downtime?

  1. Store database credentials in AWS Secrets Manager with automatic rotation enabled using a multi-user rotation strategy. Configure two sets of database users with identical permissions. During rotation, Secrets Manager rotates the inactive user's password while the application continues using the active user, then switches. Schedule application rolling restarts outside business hours to pick up the rotated credentials.
  2. Use AWS Systems Manager Parameter Store to store database credentials as SecureString parameters. Implement AWS Lambda functions that rotate credentials in RDS and Parameter Store every 30 days during a scheduled maintenance window outside business hours (7 PM - 7 AM). After rotation completes, trigger AWS Systems Manager Run Command to restart application instances in a rolling fashion.
  3. Implement Amazon RDS Proxy between the application and the RDS Oracle database. Store credentials in AWS Secrets Manager with automatic rotation enabled. RDS Proxy handles connection pooling and credential rotation transparently, allowing credentials to rotate without requiring application restarts or database connection changes.
  4. Store credentials in AWS Secrets Manager with automatic rotation enabled every 30 days. Create a custom rotation Lambda function that rotates credentials and automatically performs rolling restarts of the Auto Scaling group instances outside business hours using lifecycle hooks and EventBridge scheduled rules to ensure rotations occur only during maintenance windows.

Answer & Explanation

Correct Answer: 3 - Amazon RDS Proxy with Secrets Manager automatic rotation

Why this is correct: Amazon RDS Proxy acts as a database proxy that sits between applications and RDS databases, managing connection pooling and handling credential rotation transparently. When credentials in Secrets Manager are rotated, RDS Proxy automatically begins using the new credentials for new connections while maintaining existing connections with old credentials until they naturally close. The application continues to connect to the same RDS Proxy endpoint using the same credentials-retrieval mechanism at startup, but RDS Proxy handles all credential complexity behind the scenes. This solution enables 30-day rotation without any application restarts or downtime-meeting both the security policy and business requirements perfectly. RDS Proxy provides additional benefits like connection pooling, failover handling, and improved database efficiency. This is the only solution that achieves rotation without downtime.

Why the other options are wrong:

  • Option 1: While multi-user rotation strategy is a valid Secrets Manager feature, this solution still requires application restarts (scheduled outside business hours) to pick up the rotated credentials. The application reads credentials from Secrets Manager at startup and establishes a connection pool that it uses throughout its runtime. Even with two database users, the application won't switch to using the newly rotated user until it restarts and reads the updated secret. This approach improves the rotation process but doesn't eliminate the need for restarts-it just schedules them outside business hours. If credentials must be rotated during business hours (e.g., due to suspected compromise), this solution fails the no-downtime requirement.
  • Option 2: This solution explicitly schedules rotation and restarts outside business hours, which addresses the business requirement but creates operational constraints. If credentials need emergency rotation during business hours (security incident), the system cannot comply with the 30-day policy without downtime. Parameter Store doesn't provide automatic rotation-custom Lambda functions must be maintained. Systems Manager Run Command works for EC2 instances but adds complexity to the restart orchestration. This approach treats the symptoms (scheduling around downtime) rather than solving the root problem (eliminating downtime during rotation).
  • Option 4: Like Options 1 and 2, this solution still requires application restarts-it just automates orchestration and schedules them outside business hours using lifecycle hooks. Custom Lambda functions must be developed and maintained for rotation orchestration and rolling restart coordination. The core issue remains: the application cannot rotate credentials without restarting. While this automates the operational process, it doesn't satisfy the business requirement if emergency rotation is needed during business hours. Additionally, the complexity of custom orchestration code increases operational burden.

Key Insight: Legacy application constraints (cannot modify code, reads credentials at startup, maintains long-lived connection pools) are common in migration scenarios. RDS Proxy is specifically designed to solve this problem-it decouples credential management from application connection management. Many candidates overlook RDS Proxy or don't recognize it as a solution for credential rotation challenges. The key is understanding that proxies can abstract infrastructure concerns (like credential rotation) away from applications, enabling modern security practices with legacy applications that cannot be easily modified.

Case Study 10

A financial technology startup is building a payment processing platform that integrates with multiple third-party payment gateways (Stripe, PayPal, Square, Adyen). Each gateway requires different authentication credentials: Stripe uses API keys, PayPal uses OAuth 2.0 client credentials with token refresh, Square uses OAuth with bearer tokens, and Adyen uses basic authentication with username and password. The platform must support adding new payment gateways monthly as the business expands internationally. The application architecture uses AWS Lambda functions for payment processing, with different functions handling different gateways. The compliance team requires detailed audit logs showing which Lambda function accessed which gateway credentials and when. The development team reports that deployment times have increased significantly because updating a single gateway's credentials requires redeploying all Lambda functions that use a shared configuration file. The CTO wants to implement a solution that allows updating credentials without redeploying code and supports the variety of credential types used by different gateways. The platform processes approximately 50,000 transactions daily with spiky traffic patterns.

Which solution provides the MOST flexibility for managing these diverse credential types while meeting the operational requirements?

  1. Store all credentials in AWS Secrets Manager with separate secrets for each payment gateway. Implement automatic rotation for Stripe API keys, and create custom Lambda rotation functions for OAuth-based gateways (PayPal, Square) that refresh tokens before expiry. Configure Lambda functions to retrieve credentials from Secrets Manager at runtime using the AWS SDK, enabling credential updates without code redeployment.
  2. Use AWS Systems Manager Parameter Store advanced parameters organized hierarchically by gateway (/payment-gateways/stripe/api-key, /payment-gateways/paypal/client-id). Store OAuth tokens with automatic refresh logic implemented in a shared Lambda layer that all payment processing functions include. Update parameters through a CI/CD pipeline that validates credentials before deployment.
  3. Implement AWS AppConfig to store all payment gateway credentials as feature flags with JSON configuration. Create a deployment pipeline that validates credential formats before deploying to Lambda functions. Configure Lambda functions to poll AppConfig for credential updates every 5 minutes, allowing credential rotation without redeployment.
  4. Store each gateway's credentials in AWS Secrets Manager and create a VPC endpoint for Secrets Manager to reduce latency. Implement Amazon API Gateway with Lambda authorizers that retrieve gateway credentials and inject them into payment processing Lambda functions as request headers, centralizing credential retrieval in the authorizer layer.

Answer & Explanation

Correct Answer: 1 - AWS Secrets Manager with custom rotation for OAuth credentials

Why this is correct: AWS Secrets Manager is designed specifically for managing credentials with diverse rotation requirements. It supports storing any secret type (API keys, OAuth tokens, username/password) with flexible rotation policies. For Stripe API keys that don't auto-expire, automatic rotation can be configured to periodically generate new keys through Stripe's API. For OAuth-based gateways, custom Lambda rotation functions can implement the OAuth refresh token flow before tokens expire, storing updated access tokens in Secrets Manager. Each gateway's credentials are isolated in separate secrets, enabling independent rotation schedules and simplifying adding new gateways. Lambda functions retrieve credentials at runtime via AWS SDK-when credentials update in Secrets Manager, functions automatically use new values on next retrieval without redeployment. CloudTrail automatically logs all GetSecretValue API calls with Lambda function ARN, satisfying audit requirements. This architecture decouples credential management from application deployment, solving the deployment time problem while providing the flexibility needed for diverse credential types.

Why the other options are wrong:

  • Option 2: While Parameter Store can store credentials, it doesn't provide native rotation capabilities-all rotation logic must be custom-built. Implementing OAuth token refresh in a shared Lambda layer creates tight coupling between infrastructure (credential management) and application code (the Lambda layer). Updating the refresh logic requires updating the Lambda layer and redeploying all functions that use it-this doesn't solve the redeployment problem stated in the scenario. CI/CD pipeline validation of credentials adds deployment overhead rather than enabling dynamic updates. Parameter Store lacks the purpose-built credential management features (versioning, rotation templates, audit integration) that Secrets Manager provides.
  • Option 3: AWS AppConfig is designed for application configuration and feature flags, not credential management. Storing credentials as "feature flags" is architecturally inappropriate and misuses the service. AppConfig doesn't provide encryption specifically designed for secrets or native integration with credential rotation patterns. Polling every 5 minutes introduces latency for credential updates and unnecessary API calls. AppConfig doesn't log credential access events with the same audit detail as Secrets Manager with CloudTrail. The validation and deployment pipeline features of AppConfig are designed for application configuration changes, not for security-sensitive credential rotation operations.
  • Option 4: While using API Gateway with Lambda authorizers centralizes credential retrieval, passing credentials as request headers between API Gateway and Lambda functions exposes credentials in transit within the AWS infrastructure (though still encrypted via TLS). This architecture is more complex than necessary-payment processing Lambda functions can directly retrieve credentials from Secrets Manager without an intermediary authorizer layer. The authorizer pattern is typically used for authenticating incoming requests, not for injecting credentials into downstream services. This adds unnecessary components and latency (additional Lambda invocation for authorizer) without solving the core problems better than direct Secrets Manager integration. VPC endpoints reduce latency but are not required for this use case.

Key Insight: Real-world credential management often involves heterogeneous credential types with different rotation mechanisms (API keys, OAuth tokens with refresh, basic auth). Secrets Manager's flexibility-supporting both automatic rotation with templates and custom rotation with Lambda functions-makes it suitable for complex credential portfolios. The ability to update credentials without code redeployment is critical for operational agility. Understanding that credential management should be decoupled from application deployment, and that Secrets Manager is specifically designed for this decoupling, distinguishes architects who can design scalable, maintainable systems from those who might use general-purpose configuration services inappropriately.

The document Case Studies: Secrets Manager vs Parameter Store is a part of the AWS Solutions Architect Course AWS Solutions Architect: Associate Level.
All you need of AWS Solutions Architect at this link: AWS Solutions Architect
Join Course for Free
About this Document
Apr 20, 2026 Last updated
Related Exams
Document Description: Case Studies: Secrets Manager vs Parameter Store for AWS Solutions Architect 2026 is part of AWS Solutions Architect: Associate Level preparation. The notes and questions for Case Studies: Secrets Manager vs Parameter Store have been prepared according to the AWS Solutions Architect exam syllabus. Information about Case Studies: Secrets Manager vs Parameter Store covers topics like and Case Studies: Secrets Manager vs Parameter Store Example, for AWS Solutions Architect 2026 Exam. Find important definitions, questions, notes, meanings, examples, exercises and tests below for Case Studies: Secrets Manager vs Parameter Store.
Introduction of Case Studies: Secrets Manager vs Parameter Store in English is available as part of our AWS Solutions Architect: Associate Level for AWS Solutions Architect & Case Studies: Secrets Manager vs Parameter Store in Hindi for AWS Solutions Architect: Associate Level course. Download more important topics related with notes, lectures and mock test series for AWS Solutions Architect Exam by signing up for free. AWS Solutions Architect: Case Studies: Secrets Manager vs Parameter Store
Description
Case Studies: Secrets Manager vs Parameter Store of AWS Solutions Architect covers all the important topics, helping you prepare for the AWS Solutions Architect exam on EduRev.
Information about Case Studies: Secrets Manager vs Parameter Store
In this doc you can find the meaning of Case Studies: Secrets Manager vs Parameter Store defined & explained in the simplest way possible. Besides explaining types of Case Studies: Secrets Manager vs Parameter Store theory, EduRev gives you an ample number of questions to practice Case Studies: Secrets Manager vs Parameter Store tests, examples and also practice AWS Solutions Architect tests
Explore Courses for AWS Solutions Architect exam
Get EduRev Notes directly in your Google search
Related Searches
Case Studies: Secrets Manager vs Parameter Store, past year papers, MCQs, Case Studies: Secrets Manager vs Parameter Store, video lectures, Sample Paper, Viva Questions, Free, Summary, Case Studies: Secrets Manager vs Parameter Store, study material, Important questions, Semester Notes, mock tests for examination, Previous Year Questions with Solutions, Objective type Questions, ppt, practice quizzes, Extra Questions, pdf , Exam, shortcuts and tricks;
;
Additional Information about Case Studies: Secrets Manager vs Parameter Store for AWS Solutions Architect Preparation

Case Studies: Secrets Manager vs Parameter Store Free PDF Download

The Case Studies: Secrets Manager vs Parameter Store is an invaluable resource that delves deep into the core of the AWS Solutions Architect exam. These study notes are curated by experts and cover all the essential topics and concepts, making your preparation more efficient and effective. With the help of these notes, you can grasp complex subjects quickly, revise important points easily, and reinforce your understanding of key concepts. The study notes are presented in a concise and easy-to-understand manner, allowing you to optimize your learning process. Whether you're looking for best-recommended books, sample papers, study material, or toppers' notes, this PDF has got you covered. Download the Case Studies: Secrets Manager vs Parameter Store now and kickstart your journey towards success in the AWS Solutions Architect exam.

Importance of Case Studies: Secrets Manager vs Parameter Store

The importance of Case Studies: Secrets Manager vs Parameter Store cannot be overstated, especially for AWS Solutions Architect aspirants. This document holds the key to success in the AWS Solutions Architect exam. It offers a detailed understanding of the concept, providing invaluable insights into the topic. By knowing the concepts well in advance, students can plan their preparation effectively. Utilize this indispensable guide for a well-rounded preparation and achieve your desired results.

Case Studies: Secrets Manager vs Parameter Store Notes

Case Studies: Secrets Manager vs Parameter Store Notes offer in-depth insights into the specific topic to help you master it with ease. This comprehensive document covers all aspects related to Case Studies: Secrets Manager vs Parameter Store. It includes detailed information about the exam syllabus, recommended books, and study materials for a well-rounded preparation. Practice papers and question papers enable you to assess your progress effectively. Additionally, the paper analysis provides valuable tips for tackling the exam strategically. Access to Toppers' notes gives you an edge in understanding complex concepts. Whether you're a beginner or aiming for advanced proficiency, Case Studies: Secrets Manager vs Parameter Store Notes on EduRev are your ultimate resource for success.

Case Studies: Secrets Manager vs Parameter Store AWS Solutions Architect Questions

The "Case Studies: Secrets Manager vs Parameter Store AWS Solutions Architect Questions" guide is a valuable resource for all aspiring students preparing for the AWS Solutions Architect exam. It focuses on providing a wide range of practice questions to help students gauge their understanding of the exam topics. These questions cover the entire syllabus, ensuring comprehensive preparation. The guide includes previous years' question papers for students to familiarize themselves with the exam's format and difficulty level. Additionally, it offers subject-specific question banks, allowing students to focus on weak areas and improve their performance.

Study Case Studies: Secrets Manager vs Parameter Store on the App

Students of AWS Solutions Architect can study Case Studies: Secrets Manager vs Parameter Store alongwith tests & analysis from the EduRev app, which will help them while preparing for their exam. Apart from the Case Studies: Secrets Manager vs Parameter Store, students can also utilize the EduRev App for other study materials such as previous year question papers, syllabus, important questions, etc. The EduRev App will make your learning easier as you can access it from anywhere you want. The content of Case Studies: Secrets Manager vs Parameter Store is prepared as per the latest AWS Solutions Architect syllabus.
Signup on EduRev and stay on top of your study goals
10M+ students crushing their study goals daily