AWS Certified Database – Specialty – Question96

A company is going through a security audit. The audit team has identified cleartext master user password in the AWS CloudFormation templates for Amazon RDS for MySQL DB instances. The audit team has flagged this as a security risk to the database team.
What should a database specialist do to mitigate this risk?

Change all the databases to use AWS IAM for authentication and remove all the cleartext passwords in CloudFormation templates.
B. Use an AWS Secrets Manager resource to generate a random password and reference the secret in the CloudFormation template.
C. Remove the passwords from the CloudFormation templates so Amazon RDS prompts for the password when the database is being created.
D. Remove the passwords from the CloudFormation template and store them in a separate file. Replace the passwords by running CloudFormation using a sed command.

Correct Answer: C