A microservice uses AWS Secrets Manager to store database credentials. What happens when automatic rotation is enabled?
Think about how automation helps keep secrets fresh without downtime.
AWS Secrets Manager automates secret rotation by updating the secret value and invoking a Lambda function to update the credentials in the target service, ensuring seamless and secure rotation.
You have multiple microservices that need to access secrets stored in HashiCorp Vault. What is the best way to manage access securely?
Consider the principle of least privilege and identity separation.
Each microservice should authenticate with Vault using its own identity and have permissions scoped to only the secrets it requires. This limits risk if one service is compromised.
A microservice tries to retrieve a secret from AWS Secrets Manager, but the secret has been revoked or deleted. What error will the microservice receive?
Think about what happens when a requested resource does not exist.
If the secret is revoked or deleted, AWS Secrets Manager returns a ResourceNotFoundException indicating the secret cannot be found.
Vault can generate dynamic database credentials on demand. What is the main advantage of this approach compared to static secrets?
Think about how temporary credentials improve security.
Dynamic secrets are generated with limited lifetime and automatically revoked after use, reducing the risk if credentials are leaked.
You want to allow a microservice running on AWS ECS to access specific secrets in AWS Secrets Manager. Which approach follows best security practices?
Consider AWS best practices for credentials and permissions.
Assigning an IAM role to the ECS task with least privilege permissions avoids hardcoding credentials and limits access scope, improving security.